+1 for updating the dependencies in trunk. best, Colin
On Tue, Feb 16, 2016 at 9:20 AM, Wei-Chiu Chuang <weic...@cloudera.com> wrote: > Fellow Hadoop developers, > > Hadoop codebase depends on commons-httpclient, and its latest version, 3.1.2, > is EOL nearly 5 years ago. But because its API is not compatible with its > successor, httpclient 4, the community seem to have been reluctant to upgrade. > However, a lot of evidence indicates that commons-httpclient has a number of > security vulnerabilities which are never addressed, including CVE-2012-6153. > To make Hadoop less susceptible to existing and future vulnerabilities, we > should seriously consider replacing commons-httpclient with httpclient 4.x. > > There are a few Hadoop JIRAs that have patches available to address that, but > they really need more attention to get them committed: > HADOOP-10105 <https://issues.apache.org/jira/browse/HADOOP-10105> (remove > httpclient dependency) is the umbrella JIRA for all. > Other efforts includes HADOOP-11613 > <https://issues.apache.org/jira/browse/HADOOP-11613> (Remove httpclient > dependency from hadoop-azure), HADOOP-11614 > <https://issues.apache.org/jira/browse/HADOOP-11614> (Remove httpclient > dependency from hadoop-openstack), HADOOP-12710 > <https://issues.apache.org/jira/browse/HADOOP-12710> (Remove dependency on > commons-httpclient for TestHttpServerLogs), HADOOP-12711 > <https://issues.apache.org/jira/browse/HADOOP-12711> (Remove dependency on > commons-httpclient for ServletUtil). I’d also like to urge the community to > reject patches that imports commons-httpclient in the future. > > Additionally, Hadoop trunk depends on httpclient 4.2.5, which is known to > suffer from several security vulnerabilities as well, including > CVE-2012-6153, CVE-2011-4461, CVE-2014-3577, CVE-2015-5262. HADOOP-12767 > <https://issues.apache.org/jira/browse/HADOOP-12767> (update apache > httpclient version to the latest 4.5 for security) has a patch that bumps the > version to 4.5.1. But I’d like to ask the community whether we should do it > or not, and the implication of bump the latest version. > > Best regards, > Wei-Chiu Chuang > A very happy Clouderan >
