[
https://issues.apache.org/jira/browse/HADOOP-16542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16922766#comment-16922766
]
Wei-Chiu Chuang commented on HADOOP-16542:
------------------------------------------
Actually, I tried to remove it from Hadoop, and then built upstream
applications, but it fails to build Hive:
So I'm sorry but -1 to remove this entirely. Looks like we have to update it
instead of removing it.
{noformat}
2019-09-03 19:11:46.955312 [INFO]
------------------------------------------------------------------------
2019-09-03 19:11:46.955323 [INFO] BUILD FAILURE
2019-09-03 19:11:46.955335 [INFO]
------------------------------------------------------------------------
2019-09-03 19:11:46.955407 [INFO] Total time: 26.580 s
2019-09-03 19:11:46.955507 [INFO] Finished at: 2019-09-04T02:11:46Z
2019-09-03 19:11:47.316910 [INFO] Final Memory: 70M/707M
2019-09-03 19:11:47.316974 [INFO]
------------------------------------------------------------------------
2019-09-03 19:11:47.317083 [WARNING] The requested profile "hadoop-2" could not
be activated because it does not exist.
2019-09-03 19:11:47.317813 [ERROR] Failed to execute goal
org.apache.maven.plugins:maven-compiler-plugin:3.6.1:compile (default-compile)
on project hive-metastore: Compilation failure
2019-09-03 19:11:47.317836 [ERROR]
/container.common/build/cdh/hive/2.1.1-cdh6.x-SNAPSHOT/source/metastore/src/java/org/apache/hadoop/hive/metastore/MetaStoreUtils.java:[57,36]
package org.apache.commons.beanutils does not exist
2019-09-03 19:11:47.317845 [ERROR] -> [Help 1]
2019-09-03 19:11:47.317855 [ERROR]
2019-09-03 19:11:47.317863 [ERROR] To see the full stack trace of the errors,
re-run Maven with the -e switch.
2019-09-03 19:11:47.317872 [ERROR] Re-run Maven using the -X switch to enable
full debug logging.
2019-09-03 19:11:47.317880 [ERROR]
2019-09-03 19:11:47.317888 [ERROR] For more information about the errors and
possible solutions, please read the following articles:
2019-09-03 19:11:47.317903 [ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
2019-09-03 19:11:47.317912 [ERROR]
2019-09-03 19:11:47.317920 [ERROR] After correcting the problems, you can
resume the build with the command
{noformat}
> Update commons-beanutils version
> --------------------------------
>
> Key: HADOOP-16542
> URL: https://issues.apache.org/jira/browse/HADOOP-16542
> Project: Hadoop Common
> Issue Type: Task
> Affects Versions: 2.10.0, 3.3.0
> Reporter: Wei-Chiu Chuang
> Assignee: kevin su
> Priority: Major
> Labels: release-blocker
> Attachments: HADOOP-16542.001.patch, HADOOP-16542.002.patch
>
>
> [http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%[email protected]%3e]
> {quote}
> CVE-2019-10086. Apache Commons Beanutils does not suppresses the class
> property in PropertyUtilsBean
> by default.
> Severity: Medium
> Vendor: The Apache Software Foundation
> Versions Affected: commons-beanutils-1.9.3 and earlier
> Description: A special BeanIntrospector class was added in version 1.9.2.
> This can be used to stop attackers from using the class property of
> Java objects to get access to the classloader.
> However this protection was not enabled by default.
> PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
> level property access by default, thus protecting against
> CVE-2014-0114.
> Mitigation: 1.X users should migrate to 1.9.4.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
