[
https://issues.apache.org/jira/browse/SPARK-16769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15397889#comment-15397889
]
Adam Roberts commented on SPARK-16769:
--------------------------------------
[~rxin] [~srowen] Reynold and Sean, interested in what you think, a test run on
my VM hasn't produced any new failures after deleting the jar from my m2 repo,
I'm also trying to figure out if this version has a patch or not so I'm running
with a test case described at
https://issues.apache.org/jira/browse/HTTPCLIENT-1265
A quick grep of the source code for Spark itself doesn't show it directly being
used in our code either
aroberts@aroberts-VirtualBox:~/Desktop/Spark-DK$ grep -R
"org.apache.commons.httpclient" .
Binary file ./dist/jars/commons-httpclient-3.1.jar matches
Binary file ./dist/jars/jets3t-0.9.3.jar matches
Binary file
./sql/hive/target/tmp/hive-ivy-cache/cache/commons-httpclient/commons-httpclient/jars/commons-httpclient-3.1.jar
matches
Binary file
./sql/hive/target/tmp/hive-ivy-cache/jars/commons-httpclient_commons-httpclient-3.1.jar
matches
Can you please clarify why we have this dependency?
> httpclient classic dependency - potentially a patch required?
> -------------------------------------------------------------
>
> Key: SPARK-16769
> URL: https://issues.apache.org/jira/browse/SPARK-16769
> Project: Spark
> Issue Type: Question
> Components: Build
> Affects Versions: 1.6.2, 2.0.0
> Environment: All Spark versions, any environment
> Reporter: Adam Roberts
>
> In our jars folder for Spark we provide a jar with a CVE
> https://www.versioneye.com/java/commons-httpclient:commons-httpclient/3.1.
> CVE-2012-5783
> This paper outlines the problem
> www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
> My question is: do we need to ship this version as well or is it only used
> for tests? Is it a patched version? I plan to run without this dependency and
> if there are NoClassDefFound problems I'll add <scope>test</scope> so we
> don't ship it (downloading it in the first place is bad enough though)
> Note that this is valid for all versions, suggesting it be raised to a
> critical if Spark functionality is depending on it because of what the pdf
> I've linked to mentions
> Here is the jar being included:
> ls $SPARK_HOME/jars | grep "httpclient"
> commons-httpclient-3.1.jar
> httpclient-4.5.2.jar
> The first jar potentially contains the security issue, could be a patched
> version, need to verify. SHA1 sum for this jar is
> 964cd74171f427720480efdec40a7c7f6e58426a
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
