[
https://issues.apache.org/jira/browse/OOZIE-2410?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated OOZIE-2410:
---------------------------------
Attachment: security-fixes.patch
The patch listed on COLLECTIONS-580 isn't actually the one they used :/
With [~yoderme]'s help, I got a diff and manually extracted and applied the
security fix. For reference, I've attached it to this JIRA.
> Fork collections-generic
> ------------------------
>
> Key: OOZIE-2410
> URL: https://issues.apache.org/jira/browse/OOZIE-2410
> Project: Oozie
> Issue Type: Bug
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Critical
> Fix For: trunk
>
> Attachments: security-fixes.patch
>
>
> The Jung library used by the {{GraphGenerator}} code is using an old fork of
> Commons-Collections which added generics. There was recently a security bug
> in Commons-Collections (COLLECTIONS-580). The fork we're using hasn't been
> updated since 2010 and is dead, so it won't get the security fix
> (Commons-Collections 3.2.2 or 4.1). While Oozie isn't currently vulnerable
> to an attack due to this, it would be good to patch this just to be safe.
> Unfortunately, the best way to fix this is to fork the fork, which isn't
> super great. Anyway, we can make a new "oozie-collections-generic" module
> with the collections-generic code + the security fixes applied.
> In the long run, we should implement OOZIE-2406, which will completely
> rewrite the {{GraphGenerator}} (there's a number of other downsides with the
> current implementation listed there), at which time we can remove this new
> module.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
