[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Resolution: Fixed Status: Resolved (was: Patch Available) TestLogLevel passes in master branch. Thanks for the review, Stack. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v14.txt, 16267.v15.txt, 16267.v15.txt, 16267.v2.txt, > 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} > HADOOP-12767 > to move the uses of httpclient HADOOP-10105 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 > Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments > Service (FPS) merchant Java SDK and other products, does not verify that the > server hostname matches a domain name in the subject's Common Name (CN) or > subjectAltName field of the X.509 certificate, which allows man-in-the-middle > attackers to spoof SSL servers via an arbitrary valid certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] stack updated HBASE-16267: -- Attachment: 16267.v15.txt Retry to see if tests are flakey and how long build takes. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v14.txt, 16267.v15.txt, 16267.v15.txt, 16267.v2.txt, > 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} > HADOOP-12767 > to move the uses of httpclient HADOOP-10105 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 > Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments > Service (FPS) merchant Java SDK and other products, does not verify that the > server hostname matches a domain name in the subject's Common Name (CN) or > subjectAltName field of the X.509 certificate, which allows man-in-the-middle > attackers to spoof SSL servers via an arbitrary valid certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Release Note: This issue upgrades httpclient to 4.5.2 and httpcore to 4.4.4 which are the versions used by hadoop-2. This is to handle the following CVE's. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Downstream users who are exposed to commons-httpclient via the HBase classpath will have to similarly update their dependency. was: This issue upgrades httpclient to 4.5.2 and httpcore to 4.4.4 which are the versions used by hadoop-2. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Downstream users who are exposed to commons-httpclient via the HBase classpath will have to similarly update their dependency. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v14.txt, 16267.v15.txt, 16267.v2.txt, 16267.v4.txt, > 16267.v6.txt, 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} > HADOOP-12767 > to move the uses of httpclient HADOOP-10105 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 > Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments > Service (FPS) merchant Java SDK and other products, does not verify that the > server hostname matches a domain name in the subject's Common Name (CN) or > subjectAltName field of the X.509 certificate, which allows man-in-the-middle > attackers to spoof SSL servers via an arbitrary valid certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Release Note: This issue upgrades httpclient to 4.5.2 and httpcore to 4.4.4 which are the versions used by hadoop-2. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Downstream users who are exposed to commons-httpclient via the HBase classpath will have to similarly update their dependency. was: This issue upgrades httpclient to 4.5.2 and httpcore to 4.4.4 which are the versions used by hadoop-2. Downstream users who are exposed to it via the HBase classpath will have to similarly update their dependency. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v14.txt, 16267.v15.txt, 16267.v2.txt, 16267.v4.txt, > 16267.v6.txt, 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} > HADOOP-12767 > to move the uses of httpclient HADOOP-10105 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 > Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments > Service (FPS) merchant Java SDK and other products, does not verify that the > server hostname matches a domain name in the subject's Common Name (CN) or > subjectAltName field of the X.509 certificate, which allows man-in-the-middle > attackers to spoof SSL servers via an arbitrary valid certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Attachment: 16267.v15.txt Patch v15 with the change to TestLogLevel suggested by Stack. I checked dependency tree which doesn't show dependency on commons-httpclient in shaded module. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v14.txt, 16267.v15.txt, 16267.v2.txt, 16267.v4.txt, > 16267.v6.txt, 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} > HADOOP-12767 > to move the uses of httpclient HADOOP-10105 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 > Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments > Service (FPS) merchant Java SDK and other products, does not verify that the > server hostname matches a domain name in the subject's Common Name (CN) or > subjectAltName field of the X.509 certificate, which allows man-in-the-middle > attackers to spoof SSL servers via an arbitrary valid certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Description: hbase-rest module still has imports from org.apache.commons.httpclient . There is more work to be done after HBASE-15767 was integrated. In master branch, there seems to be transitive dependency which allows the code to compile: {code} [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile [INFO] | +- commons-cli:commons-cli:jar:1.2:compile [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile [INFO] | +- xmlenc:xmlenc:jar:0.52:compile [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile {code} https://issues.apache.org/jira/browse/HADOOP-12767 to move the uses of httpclient https://issues.apache.org/jira/browse/HADOOP-10105 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. was: hbase-rest module still has imports from org.apache.commons.httpclient . There is more work to be done after HBASE-15767 was integrated. In master branch, there seems to be transitive dependency which allows the code to compile: {code} [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile [INFO] | +- commons-cli:commons-cli:jar:1.2:compile [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile [INFO] | +- xmlenc:xmlenc:jar:0.52:compile [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile {code} > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v14.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, > 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} > https://issues.apache.org/jira/browse/HADOOP-12767 > to move the uses of httpclient > https://issues.apache.org/jira/browse/HADOOP-10105 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 > Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments > Service (FPS) merchant Java SDK and other products, does not verify that the > server hostname matches a domain name in the subject's Common Name (CN) or > subjectAltName field of the X.509 certificate, which allows man-in-the-middle > attackers to spoof SSL servers via an arbitrary valid certificate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Description: hbase-rest module still has imports from org.apache.commons.httpclient . There is more work to be done after HBASE-15767 was integrated. In master branch, there seems to be transitive dependency which allows the code to compile: {code} [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile [INFO] | +- commons-cli:commons-cli:jar:1.2:compile [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile [INFO] | +- xmlenc:xmlenc:jar:0.52:compile [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile {code} HADOOP-12767 to move the uses of httpclient HADOOP-10105 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. was: hbase-rest module still has imports from org.apache.commons.httpclient . There is more work to be done after HBASE-15767 was integrated. In master branch, there seems to be transitive dependency which allows the code to compile: {code} [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile [INFO] | +- commons-cli:commons-cli:jar:1.2:compile [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile [INFO] | +- xmlenc:xmlenc:jar:0.52:compile [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile {code} https://issues.apache.org/jira/browse/HADOOP-12767 to move the uses of httpclient https://issues.apache.org/jira/browse/HADOOP-10105 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v14.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, > 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} > HADOOP-12767 > to move the uses of httpclient HADOOP-10105 > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : > http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents > HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting > during an SSL handshake, which allows remote attackers to cause a denial of > service (HTTPS call hang) via unspecified vectors. >
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Status: Patch Available (was: Reopened) > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v14.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, > 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Attachment: 16267.v14.txt Patch v14 drops the exclusion in pom.xml org.apache.hadoop.hbase.rest.\* and TestLogLevel pass based on v14. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v14.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, > 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Priority: Critical (was: Major) > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu >Priority: Critical > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, > 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Release Note: This issue upgrades httpclient to 4.5.2 and httpcore to 4.4.4 which are the versions used by hadoop-2. Downstream users who are exposed to it via the HBase classpath will have to similarly update their dependency. was:This issue upgrades httpclient to 4.5.2 and httpcore to 4.4.4 which are the versions used by hadoop-2 > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, > 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Release Note: This issue upgrades httpclient to 4.5.2 and httpcore to 4.4.4 which are the versions used by hadoop-2 > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, > 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Resolution: Fixed Hadoop Flags: Reviewed Status: Resolved (was: Patch Available) Thanks for the review, Josh. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, > 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Attachment: 16267.v13.txt Patch v13 drops the commented code. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v13.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, > 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Attachment: 16267.v12.txt Thanks for the review, Josh. Patch v12 addresses your review comments. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v12.txt, > 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Attachment: 16267.v11.txt Patch v11 addresses findbugs warning. > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v11.txt, 16267.v2.txt, > 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Attachment: 16267.v10.txt > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v10.txt, 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, > 16267.v8.txt, 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Attachment: 16267.v9.txt > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt, > 16267.v9.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Attachment: 16267.v8.txt Patch v8 makes the body field of Response lazily populated. Otherwise we get: {code} testSimpleScannerProtobuf(org.apache.hadoop.hbase.rest.TestTableScan) Time elapsed: 1.674 sec <<< ERROR! java.io.IOException: Attempted read from closed stream. at org.apache.http.impl.io.ChunkedInputStream.read(ChunkedInputStream.java:179) at org.apache.http.conn.EofSensorInputStream.read(EofSensorInputStream.java:137) at java.io.DataInputStream.read(DataInputStream.java:100) at org.apache.hadoop.hbase.rest.TestTableScan.readProtobufStream(TestTableScan.java:429) at org.apache.hadoop.hbase.rest.TestTableScan.testSimpleScannerProtobuf(TestTableScan.java:389) {code} > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v2.txt, 16267.v4.txt, 16267.v6.txt, 16267.v8.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Fix Version/s: 2.0.0 > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0 > > Attachments: 16267.v2.txt, 16267.v4.txt, 16267.v6.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Status: Patch Available (was: Open) > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Attachments: 16267.v2.txt, 16267.v4.txt, 16267.v6.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HBASE-16267) Remove commons-httpclient dependency from hbase-rest module
[ https://issues.apache.org/jira/browse/HBASE-16267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-16267: --- Summary: Remove commons-httpclient dependency from hbase-rest module (was: Remove httpclient dependency from hbase-rest module) > Remove commons-httpclient dependency from hbase-rest module > --- > > Key: HBASE-16267 > URL: https://issues.apache.org/jira/browse/HBASE-16267 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu > Attachments: 16267.v2.txt, 16267.v4.txt, 16267.v6.txt > > > hbase-rest module still has imports from org.apache.commons.httpclient . > There is more work to be done after HBASE-15767 was integrated. > In master branch, there seems to be transitive dependency which allows the > code to compile: > {code} > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.7.1:compile > [INFO] | +- org.apache.hadoop:hadoop-annotations:jar:2.7.1:compile > [INFO] | +- commons-cli:commons-cli:jar:1.2:compile > [INFO] | +- org.apache.commons:commons-math3:jar:3.1.1:compile > [INFO] | +- xmlenc:xmlenc:jar:0.52:compile > [INFO] | +- commons-httpclient:commons-httpclient:jar:3.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)