[
https://issues.apache.org/jira/browse/HIVE-12469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018910#comment-15018910
]
Ashutosh Chauhan commented on HIVE-12469:
-----------------------------------------
yeah.. I dont know if there is something better we can do here short of
updating all our immediate dependencies to their respective versions which
don't use 3.2.1 version. This patch alteast makes sure that Hive is not
bringing in offending version on run time classpath.
> Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address
> vulnerability
> ---------------------------------------------------------------------------------
>
> Key: HIVE-12469
> URL: https://issues.apache.org/jira/browse/HIVE-12469
> Project: Hive
> Issue Type: Bug
> Components: Build Infrastructure
> Reporter: Reuben Kuhnert
> Assignee: Reuben Kuhnert
> Priority: Blocker
> Attachments: HIVE-12469.patch
>
>
> Currently the commons-collections (3.2.1) library allows for invocation of
> arbitrary code through {{InvokerTransformer}}, need to bump the version of
> commons-collections from 3.2.1 to 3.2.2 to resolve this issue.
> Results of {{mvn dependency:tree}}:
> {code}
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql ---
> [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT
> [INFO] +- com.google.guava:guava:jar:14.0.1:compile
> [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile
> {code}
> {code}
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive Packaging 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile
> [INFO] | +- org.apache.hbase:hbase-server:jar:1.1.1:compile
> [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile
> {code}
> {code}
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive Common 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common ---
> [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile
> [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile
> {code}
> {{Hadoop-Common}} dependency also found in: LLAP, Serde, Storage, Shims,
> Shims Common, Shims Scheduler)
> {code}
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant ---
> [INFO] | +- commons-collections:commons-collections:jar:3.1:compile
> {code}
> {code}
> [INFO]
>
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile
> [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
