Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-12469

Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.2.1
    • Fix Version/s: 1.3.0, 2.0.0
    • Component/s: Build Infrastructure
    • Labels:
      None

      Description

      Currently the commons-collections (3.2.1) library allows for invocation of arbitrary code through InvokerTransformer, need to bump the version of commons-collections from 3.2.1 to 3.2.2 to resolve this issue.

      Results of mvn dependency:tree:

      [INFO] ------------------------------------------------------------------------
      [INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT
      [INFO] ------------------------------------------------------------------------
      [INFO] 
      [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql ---
      [INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT
      [INFO] +- com.google.guava:guava:jar:14.0.1:compile
      [INFO] +- commons-collections:commons-collections:jar:3.2.1:compile
      
      [INFO] ------------------------------------------------------------------------
      [INFO] Building Hive Packaging 2.0.0-SNAPSHOT
      [INFO] ------------------------------------------------------------------------
      [INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile
      [INFO] |  +- org.apache.hbase:hbase-server:jar:1.1.1:compile
      [INFO] |  |  +- commons-collections:commons-collections:jar:3.2.1:compile
      
      [INFO] ------------------------------------------------------------------------
      [INFO] Building Hive Common 2.0.0-SNAPSHOT
      [INFO] ------------------------------------------------------------------------
      [INFO] 
      [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common ---
      [INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile
      [INFO] |  +- commons-collections:commons-collections:jar:3.2.1:compile
      

      Hadoop-Common dependency also found in: LLAP, Serde, Storage, Shims, Shims Common, Shims Scheduler)

      [INFO] ------------------------------------------------------------------------
      [INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT
      [INFO] ------------------------------------------------------------------------
      [INFO] 
      [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant ---
      [INFO] |  +- commons-collections:commons-collections:jar:3.1:compile
      
      [INFO]                                                                         
      [INFO] ------------------------------------------------------------------------
      [INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT
      [INFO] ------------------------------------------------------------------------
      [INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile
      [INFO] |  +- commons-collections:commons-collections:jar:3.2.1:compile
      

        Attachments

        1. HIVE-12469.2.patch
          4 kB
          Ashutosh Chauhan
        2. HIVE-12469.2-branch1.patch
          1.0 kB
          Ashutosh Chauhan
        3. HIVE-12469.patch
          4 kB
          Ashutosh Chauhan

          Issue Links

            Activity

              People

              • Assignee:
                ashutoshc Ashutosh Chauhan
                Reporter:
                sircodesalot Reuben Kuhnert
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: