Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-12469

Bump Commons-Collections dependency from 3.2.1 to 3.2.2. to address vulnerability

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 1.2.1
    • 1.3.0, 2.0.0
    • Build Infrastructure
    • None

    Description

      Currently the commons-collections (3.2.1) library allows for invocation of arbitrary code through InvokerTransformer, need to bump the version of commons-collections from 3.2.1 to 3.2.2 to resolve this issue.

      Results of mvn dependency:tree:

      [INFO] ------------------------------------------------------------------------
[INFO] Building Hive HPL/SQL 2.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-hplsql ---
[INFO] org.apache.hive:hive-hplsql:jar:2.0.0-SNAPSHOT
[INFO] +- com.google.guava:guava:jar:14.0.1:compile
[INFO] +- commons-collections:commons-collections:jar:3.2.1:compile

      [INFO] ------------------------------------------------------------------------
[INFO] Building Hive Packaging 2.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] +- org.apache.hive:hive-hbase-handler:jar:2.0.0-SNAPSHOT:compile
[INFO] |  +- org.apache.hbase:hbase-server:jar:1.1.1:compile
[INFO] |  |  +- commons-collections:commons-collections:jar:3.2.1:compile

      [INFO] ------------------------------------------------------------------------
[INFO] Building Hive Common 2.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-common ---
[INFO] +- org.apache.hadoop:hadoop-common:jar:2.6.0:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.2.1:compile

      Hadoop-Common dependency also found in: LLAP, Serde, Storage, Shims, Shims Common, Shims Scheduler)

      [INFO] ------------------------------------------------------------------------
[INFO] Building Hive Ant Utilities 2.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ hive-ant ---
[INFO] |  +- commons-collections:commons-collections:jar:3.1:compile

      [INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building Hive Accumulo Handler 2.0.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] +- org.apache.accumulo:accumulo-core:jar:1.6.0:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.2.1:compile

      Attachments

        1. HIVE-12469.patch
          4 kB
          Ashutosh Chauhan
        2. HIVE-12469.2-branch1.patch
          1.0 kB
          Ashutosh Chauhan
        3. HIVE-12469.2.patch
          4 kB
          Ashutosh Chauhan

        Issue Links

          links to

          Web Link Collections-580

          Web Link Hadoop-12577

          Activity

            People

              ashutoshc Ashutosh Chauhan
              sircodesalot Reuben Kuhnert
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: