[
https://issues.apache.org/jira/browse/OOZIE-2410?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated OOZIE-2410:
---------------------------------
Description:
The Jung library used by the {{GraphGenerator}} code is using an old fork of
Commons-Collections which added generics. There was recently a security bug in
Commons-Collections (COLLECTIONS-580). The fork we're using hasn't been
updated since 2010 and is dead, so it won't get the security fix
(Commons-Collections 3.2.2 or 4.1). While Oozie isn't currently vulnerable to
an attack due to this, it would be good to patch this just to be safe.
Unfortunately, the best way to fix this is to fork the fork, which isn't super
great. Anyway, we can make a new "oozie-collections-generic" module with the
collections-generic code + the security fixes applied.
In the long run, we should implement OOZIE-2406, which will completely rewrite
the {{GraphGenerator}} (there's a number of other downsides with the current
implementation listed there), at which time we can remove this new module.
was:
The Jung library used by the {{GraphGenerator}} code is using an old fork of
Commons-Collections which added generics. There was recently a security bug in
Commons-Collections (COLLECTIONS-580). The fork we're using hasn't been
updated since 2010 and is dead, so it won't get the security fix
(Commons-Collections 3.2.2 or 4.1). While Oozie isn't currently vulnerable to
an attack due to this, it would be good to patch this just to be safe.
Unfortunately, the best way to fix this is to fork the fork, which isn't super
great. Anyway, we can make a new "oozie-collections-generic" module with the
collections-generic code + the security fixes applied.
In the long run, we should implement OOZIE-2406, which will completely rewrite
the {{GraphGenerator}} (there's a number of other downsides with the current
implementation listed there).
> Fork collections-generic
> ------------------------
>
> Key: OOZIE-2410
> URL: https://issues.apache.org/jira/browse/OOZIE-2410
> Project: Oozie
> Issue Type: Bug
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Critical
> Fix For: trunk
>
>
> The Jung library used by the {{GraphGenerator}} code is using an old fork of
> Commons-Collections which added generics. There was recently a security bug
> in Commons-Collections (COLLECTIONS-580). The fork we're using hasn't been
> updated since 2010 and is dead, so it won't get the security fix
> (Commons-Collections 3.2.2 or 4.1). While Oozie isn't currently vulnerable
> to an attack due to this, it would be good to patch this just to be safe.
> Unfortunately, the best way to fix this is to fork the fork, which isn't
> super great. Anyway, we can make a new "oozie-collections-generic" module
> with the collections-generic code + the security fixes applied.
> In the long run, we should implement OOZIE-2406, which will completely
> rewrite the {{GraphGenerator}} (there's a number of other downsides with the
> current implementation listed there), at which time we can remove this new
> module.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
