Hive 2.0.0 has been released with this fix. For earlier released versions, the workaround of using the additional hook is available, as described in the CVE. There might be a 1.2.2 release, but I haven't seen active work or discussions around that yet.
On Mon, Feb 15, 2016 at 9:09 AM, Adam Roberts <arobe...@uk.ibm.com> wrote: > Hi, any update on this? > > Copying my initial post from a week ago as I don't have the original email > to reply to. > > Are there plans to release Hive 1.2.2 with the authorization fix mentioned > in www.openwall.com/lists/oss-security/2016/01/28/12? > > The above CVE description mentions "This issue has already been patched in > all Hive branches that are affected, and any future release will not need > these mitigation steps." > > I see the binaries were last updated on the 26th of June 2015 based on > http://mvnrepository.com/artifact/org.apache.hive/hive-exec/1.2.1 and the > Hive downloads page https://hive.apache.org/downloads.html, so AFAIK the > binaries haven't been updated and therefore any project depending on Hive > (e.g. Apache Spark which bundles classes from 1.2.1, which is impacted) > will download and bundle the unpatched and vulnerable Hive code. > > I think I've found the right commit based on searching for "security" for > Hive commits on branch 1.2.1 since four months ago, it's dated after the > 26th of June and hence my concern. > > As updating the jar for 1.2.1 would add doubt over if the fix is available > in the jar or not, I think there should be a new minor release (let's say > 1.2.2) to avoid this. > > Cheers, > > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
