[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15930691#comment-15930691 ] Vaibhav Gumashta commented on HIVE-12469: - Committed to 1.2 > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Affects Versions: 1.2.1 >Reporter: Reuben Kuhnert >Assignee: Ashutosh Chauhan >Priority: Blocker > Fix For: 1.3.0, 2.0.0 > > Attachments: HIVE-12469.2-branch1.patch, HIVE-12469.2.patch, > HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15036100#comment-15036100 ] Ashutosh Chauhan commented on HIVE-12469: - yeah.. all failures are because of golden file changes because of other patches. I will commit this shortly. > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Affects Versions: 1.2.1 >Reporter: Reuben Kuhnert >Assignee: Ashutosh Chauhan >Priority: Blocker > Attachments: HIVE-12469.2-branch1.patch, HIVE-12469.2.patch, > HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15036033#comment-15036033 ] Sergio Peña commented on HIVE-12469: Seems the branch-1 is not tested too often, and many old patches added failures to the tests. [~ashutoshc] What do you think about it? Can we commit this patch to branch-1? > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Affects Versions: 1.2.1 >Reporter: Reuben Kuhnert >Assignee: Ashutosh Chauhan >Priority: Blocker > Attachments: HIVE-12469.2-branch1.patch, HIVE-12469.2.patch, > HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15035041#comment-15035041 ] Hive QA commented on HIVE-12469: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12774385/HIVE-12469.2-branch1.patch {color:red}ERROR:{color} -1 due to no test(s) being added or modified. {color:red}ERROR:{color} -1 due to 51 failed/errored test(s), 9206 tests executed *Failed tests:* {noformat} TestSparkCliDriver-groupby_map_ppr_multi_distinct.q-groupby10.q-timestamp_comparison.q-and-12-more - did not produce a TEST-*.xml file TestSparkCliDriver-join_cond_pushdown_unqual4.q-vectorization_16.q-union_remove_1.q-and-12-more - did not produce a TEST-*.xml file TestSparkCliDriver-table_access_keys_stats.q-groupby_complex_types.q-vectorization_10.q-and-12-more - did not produce a TEST-*.xml file TestSparkCliDriver-vector_distinct_2.q-load_dyn_part2.q-join35.q-and-12-more - did not produce a TEST-*.xml file org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_auto_join_filters org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_auto_join_nulls org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_avrocountemptytbl org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_cross_join org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_dynamic_rdd_cache org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_groupby10 org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_groupby11 org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_groupby8 org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_join_filters org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_join_merge_multi_expressions org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_join_nulls org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_orc_merge10 org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_orc_merge11 org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_parquet_mixed_partition_formats org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_temp_table_gb1 org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_union_fast_stats org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_vector_join_filters org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_vector_join_nulls org.apache.hadoop.hive.cli.TestEncryptedHDFSCliDriver.testCliDriver_encryption_drop_partition org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_vector_inner_join org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_vector_outer_join1 org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_vector_outer_join2 org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_vector_outer_join4 org.apache.hadoop.hive.cli.TestMiniSparkOnYarnCliDriver.testCliDriver_vector_outer_join5 org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_auto_join_filters org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_cross_join org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_groupby2 org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_orc_merge10 org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_orc_merge11 org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_tez_smb_empty org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_union_fast_stats org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_vector_join_filters org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_vector_join_nulls org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_groupby2 org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_index_bitmap3 org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_ql_rewrite_gbtoidx_cbo_2 org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_stats_counter_partitioned org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_authorization_uri_import org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_auto_join_filters org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_auto_join_nulls org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_cross_join org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_dynamic_rdd_cache org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_load_dyn_part14 org.apache.hadoop.hive.cli.TestSparkCliDriver.testCliDriver_vector_count_distinct org.apache.hadoop.hive.ql.TestMTQueries.testMTQueries1 org.apache.hive.hcatalog.api.TestHCatClient.testTableSchemaPropagation org.apache.hive.jdbc.TestSSL.testSSLVersion {noformat} Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-BRANCH_1-Build/6/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-BRANCH_1-Build/6/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-BRANCH_1-Build-6/ Messages:
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15027156#comment-15027156 ] Sergio Peña commented on HIVE-12469: Just upload another patch with the filename "HIVE-12469.2-branch1.patch". > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > Attachments: HIVE-12469.2.patch, HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15027146#comment-15027146 ] Ashutosh Chauhan commented on HIVE-12469: - [~spena] How do I trigger the QA run for branch-1 > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > Attachments: HIVE-12469.2.patch, HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15027116#comment-15027116 ] Sergio Peña commented on HIVE-12469: Changes look good guys. +1 [~ashutoshc] Could we commit this to branch-1 so that we have this vulnerability fix available soon? Should we upload another file to test the fix on branch-1? > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > Attachments: HIVE-12469.2.patch, HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15027105#comment-15027105 ] Reuben Kuhnert commented on HIVE-12469: --- LGTM (Non-committer) +1 > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > Attachments: HIVE-12469.2.patch, HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15026121#comment-15026121 ] Hive QA commented on HIVE-12469: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12773866/HIVE-12469.2.patch {color:red}ERROR:{color} -1 due to no test(s) being added or modified. {color:red}ERROR:{color} -1 due to 4 failed/errored test(s), 9827 tests executed *Failed tests:* {noformat} TestHWISessionManager - did not produce a TEST-*.xml file TestMiniLlapCliDriver - did not produce a TEST-*.xml file org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_authorization_uri_import org.apache.hive.jdbc.TestSSL.testSSLVersion {noformat} Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/6119/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/6119/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-6119/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 4 tests failed {noformat} This message is automatically generated. ATTACHMENT ID: 12773866 - PreCommit-HIVE-TRUNK-Build > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > Attachments: HIVE-12469.2.patch, HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15020695#comment-15020695 ] Reuben Kuhnert commented on HIVE-12469: --- I hear you. I guess the issue is not so much where the jar comes from, but rather the jar itself. If we are still using version {{3.2.1}} even if it comes from the end user's machine, that will still contain the exploit. Is there a reason we cant bump the version to {{3.2.2}}? Everything else looks good to me. > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > Attachments: HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15020450#comment-15020450 ] Hive QA commented on HIVE-12469: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12773569/HIVE-12469.patch {color:red}ERROR:{color} -1 due to no test(s) being added or modified. {color:red}ERROR:{color} -1 due to 9 failed/errored test(s), 9834 tests executed *Failed tests:* {noformat} TestHWISessionManager - did not produce a TEST-*.xml file TestMiniLlapCliDriver - did not produce a TEST-*.xml file org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_subquery_notin org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_subquery_notin_having org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_explainuser_1 org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_tez_dynpart_hashjoin_3 org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_tez_smb_empty org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_authorization_uri_import org.apache.hive.jdbc.TestSSL.testSSLVersion {noformat} Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/6091/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/6091/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-6091/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 9 tests failed {noformat} This message is automatically generated. ATTACHMENT ID: 12773569 - PreCommit-HIVE-TRUNK-Build > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > Attachments: HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.a
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018910#comment-15018910 ] Ashutosh Chauhan commented on HIVE-12469: - yeah.. I dont know if there is something better we can do here short of updating all our immediate dependencies to their respective versions which don't use 3.2.1 version. This patch alteast makes sure that Hive is not bringing in offending version on run time classpath. > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > Attachments: HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018680#comment-15018680 ] Reuben Kuhnert commented on HIVE-12469: --- So that looks good to me for the most part, I guess my only question is this: {code} +3.2.1 1.9 1.1 3.0.1 @@ -303,7 +304,13 @@ commons-codec ${commons-codec.version} - + +commons-collections +commons-collections +${commons-collections.version} +provided + {code} I would assume that at runtime this would still add {{commons-collections-3.2.1}} to the runtime classpath (even if we do expect it to be provided by the end user), which might re-introduce the issue. Feel free to correct me if I'm wrong though. > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Build Infrastructure >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > Attachments: HIVE-12469.patch > > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018140#comment-15018140 ] Dmitry Tolpeko commented on HIVE-12469: --- This dependency can removed, not sure now how it was appeared, sorry. I ran tests successfully. > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Hive >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014202#comment-15014202 ] Dmitry Tolpeko commented on HIVE-12469: --- I will remove the dependency and try to compile. The exact version was specified in hplsql/pom.xml since there was not ${commons-collections.version} at the top pom. > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Hive >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014176#comment-15014176 ] Ashutosh Chauhan commented on HIVE-12469: - Actually, direct dependency declared in hplsql is redundant and is not used anywhere. We can simply remove it. [~dmtolpeko] Can you confirm? > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Hive >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014133#comment-15014133 ] Ashutosh Chauhan commented on HIVE-12469: - I think we can upgrade direct dependency. For, hadoop-common we can just simply exclude it, since at run time hadoop jars and deps are present in classpath are available by default, the way Hive works. > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Hive >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014124#comment-15014124 ] Reuben Kuhnert commented on HIVE-12469: --- Looks like there is only one direct dependency, but numerous downstream references (a number of them to {{hadoop-common}}). Any suggestions on how we want to fix this? > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Hive >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-12469) Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability
[ https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15014084#comment-15014084 ] Ashutosh Chauhan commented on HIVE-12469: - Thanks, [~sircodesalot] for heads up. Is there any changelog for 3.2.1-3.2.2 ? Want to make sure if there are any gotchas in migration. > Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address > vulnerability > - > > Key: HIVE-12469 > URL: https://issues.apache.org/jira/browse/HIVE-12469 > Project: Hive > Issue Type: Bug > Components: Hive >Reporter: Reuben Kuhnert >Assignee: Reuben Kuhnert >Priority: Blocker > > Currently the commons-collections (3.2.1) library allows for invocation of > arbitrary code through {{InvokerTransformer}}, need to bump the version of > commons-collections from 3.2.1 to 3.2.2 to resolve this issue. > Results of {{mvn dependency:tree}}: > {code} > [INFO] > > [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql --- > [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT > [INFO] +- com.google.guava:guava:jar:14.0.1:compile > [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Packaging 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile > [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile > [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {code} > [INFO] > > [INFO] Building Hive Common 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common --- > [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} > {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims, > Shims Common, Shims Scheduler) > {code} > [INFO] > > [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT > [INFO] > > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant --- > [INFO] | +- commons-collections:commons-collections:jar:3.1:compile > {code} > {code} > [INFO] > > [INFO] > > [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT > [INFO] > > [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile > [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)