Re: Replacing Commons-httpclient and bumping httpclient version

Wed, 17 Feb 2016 10:27:56 -0800 

Thanks for the suggestion, Wei-Chiu Chuang.

I'm +1 too to clean up dependency on commons-httpclient.

Your suggestion reminded me of HADOOP-12552 which
seems to depends on HADOOP-12710 and HADOOP-12711 now.
I will revisit it.

Masatake Iwasaki

On 2/17/16 03:59, Colin P. McCabe wrote:

+1 for updating the dependencies in trunk.

best,
Colin

On Tue, Feb 16, 2016 at 9:20 AM, Wei-Chiu Chuang <weic...@cloudera.com> wrote:

Fellow Hadoop developers,

Hadoop codebase depends on commons-httpclient, and its latest version, 3.1.2, 
is EOL nearly 5 years ago. But because its API is not compatible with its 
successor, httpclient 4, the community seem to have been reluctant to upgrade.
However, a lot of evidence indicates that commons-httpclient has a number of 
security vulnerabilities which are never addressed, including CVE-2012-6153. To 
make Hadoop less susceptible to existing and future vulnerabilities, we should 
seriously consider replacing commons-httpclient with httpclient 4.x.

There are a few Hadoop JIRAs that have patches available to address that, but 
they really need more attention to get them committed:
HADOOP-10105 <https://issues.apache.org/jira/browse/HADOOP-10105> (remove 
httpclient dependency) is the umbrella JIRA for all.
Other efforts includes HADOOP-11613 <https://issues.apache.org/jira/browse/HADOOP-11613> (Remove 
httpclient dependency from hadoop-azure), HADOOP-11614 
<https://issues.apache.org/jira/browse/HADOOP-11614> (Remove httpclient dependency from 
hadoop-openstack), HADOOP-12710 <https://issues.apache.org/jira/browse/HADOOP-12710> (Remove 
dependency on commons-httpclient for TestHttpServerLogs), HADOOP-12711 
<https://issues.apache.org/jira/browse/HADOOP-12711> (Remove dependency on commons-httpclient for 
ServletUtil). I’d also like to urge the community to reject patches that imports commons-httpclient in 
the future.

Additionally, Hadoop trunk depends on httpclient 4.2.5, which is known to suffer from 
several security vulnerabilities as well, including CVE-2012-6153, CVE-2011-4461, 
CVE-2014-3577, CVE-2015-5262. HADOOP-12767 
<https://issues.apache.org/jira/browse/HADOOP-12767> (update apache httpclient 
version to the latest 4.5 for security) has a patch that bumps the version to 4.5.1. 
But I’d like to ask the community whether we should do it or not, and the implication 
of bump the latest version.

Best regards,
Wei-Chiu Chuang
A very happy Clouderan

Reply via email to