[
https://issues.apache.org/jira/browse/OOZIE-2410?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated OOZIE-2410:
---------------------------------
Attachment: OOZIE-2410.001.patch
The patch adds the "oozie-collections-generics" module with the source code of
the collections-generics fork + the security fixes. I've excluded this module
from running tests or checkstyle. I've verified that the graph shows up in the
Web UI using this code instead of the original jar.
> Fork collections-generic
> ------------------------
>
> Key: OOZIE-2410
> URL: https://issues.apache.org/jira/browse/OOZIE-2410
> Project: Oozie
> Issue Type: Bug
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Critical
> Fix For: trunk
>
> Attachments: OOZIE-2410.001.patch, security-fixes.patch
>
>
> The Jung library used by the {{GraphGenerator}} code is using an old fork of
> Commons-Collections which added generics. There was recently a security bug
> in Commons-Collections (COLLECTIONS-580). The fork we're using hasn't been
> updated since 2010 and is dead, so it won't get the security fix
> (Commons-Collections 3.2.2 or 4.1). While Oozie isn't currently vulnerable
> to an attack due to this, it would be good to patch this just to be safe.
> Unfortunately, the best way to fix this is to fork the fork, which isn't
> super great. Anyway, we can make a new "oozie-collections-generic" module
> with the collections-generic code + the security fixes applied.
> In the long run, we should implement OOZIE-2406, which will completely
> rewrite the {{GraphGenerator}} (there's a number of other downsides with the
> current implementation listed there), at which time we can remove this new
> module.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
