[HBASE-15767] Upgrade httpclient dependency - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0.0
Component/s: build, dependencies
Labels:
None

Release Note:
HBase now relies on version 4.3.6 of the Apache Commons HTTPClient library. Downstream users who are exposed to it via the HBase classpath will have to similarly update their dependency.

Description

Currently commons-httpclient 3.1 is used.

This is already end-of-life by apache.
We should move to 4.3.6 or later.

Details:
https://issues.apache.org/jira/browse/HADOOP-12767
https://issues.apache.org/jira/browse/HADOOP-10105

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http. socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

15767.v1.txt
04/May/16 19:34
2 kB
Ted Yu

Activity

People

Assignee:: Ted Yu

Reporter:: Ted Yu

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 04/May/16 18:25

Updated:: 06/May/16 00:06

Resolved:: 05/May/16 20:55