[jira] [Updated] (SPARK-16769) httpclient classic dependency - potentially a patch required?

Thu, 28 Jul 2016 14:52:49 -0700 

     [ 
https://issues.apache.org/jira/browse/SPARK-16769?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sean Owen updated SPARK-16769:
------------------------------
      Priority: Minor  (was: Major)
    Issue Type: Improvement  (was: Question)

I think the issue is that jets3t needs to match up with Hadoop versions. It 
should be OK to update to maintenance releases, but not across minor releases 
necessarily. I recall issues with that. However 0.7.1 is only used for Hadoop 
2.2. See the profiles later that set this to 0.9.3. You can update those. See 
if that fixes it.

You don't need another JIRA. Make a PR for this one.

> httpclient classic dependency - potentially a patch required?
> -------------------------------------------------------------
>
>                 Key: SPARK-16769
>                 URL: https://issues.apache.org/jira/browse/SPARK-16769
>             Project: Spark
>          Issue Type: Improvement
>          Components: Build
>    Affects Versions: 1.6.2, 2.0.0
>         Environment: All Spark versions, any environment
>            Reporter: Adam Roberts
>            Priority: Minor
>
> In our jars folder for Spark we provide a jar with a CVE 
> https://www.versioneye.com/java/commons-httpclient:commons-httpclient/3.1. 
> CVE-2012-5783
> This paper outlines the problem
> www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
> My question is: do we need to ship this version as well or is it only used 
> for tests? Is it a patched version? I plan to run without this dependency and 
> if there are NoClassDefFound problems I'll add <scope>test</scope> so we 
> don't ship it (downloading it in the first place is bad enough though)
> Note that this is valid for all versions, suggesting it be raised to a 
> critical if Spark functionality is depending on it because of what the pdf 
> I've linked to mentions
> Here is the jar being included:
> ls $SPARK_HOME/jars | grep "httpclient"
> commons-httpclient-3.1.jar
> httpclient-4.5.2.jar
> The first jar potentially contains the security issue, could be a patched 
> version, need to verify. SHA1 sum for this jar is 
> 964cd74171f427720480efdec40a7c7f6e58426a



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to