[jira] [Commented] (HBASE-15767) Upgrade httpclient dependency

Hadoop QA (JIRA) Wed, 04 May 2016 20:20:41 -0700

    [ 
https://issues.apache.org/jira/browse/HBASE-15767?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15271829#comment-15271829
 ]


Hadoop QA commented on HBASE-15767:
-----------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} patch {color} | {color:blue} 0m 1s 
{color} | {color:blue} The patch file was not named according to hbase's naming 
conventions. Please see 
https://yetus.apache.org/documentation/0.2.1/precommit-patchnames for 
instructions. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s 
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s 
{color} | {color:red} The patch doesn't appear to include any new or modified 
tests. Please justify why no new tests are needed for this patch. Also please 
list what manual steps were performed to verify this patch. {color} |
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s 
{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 
31s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 32s 
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 45s 
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 
50s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 5m 30s 
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 4m 24s 
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s 
{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 
20s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 57s 
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 5m 57s 
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 58s 
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 5m 58s 
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 2m 
58s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 
0s {color} | {color:green} Patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 5s 
{color} | {color:green} The patch has no ill-formed XML file. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 
20m 14s {color} | {color:green} Patch does not cause any errors with Hadoop 
2.4.1 2.5.2 2.6.0. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 7m 36s 
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 7m 30s 
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 155m 35s 
{color} | {color:green} hbase-server in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 9m 32s 
{color} | {color:green} hbase-rest in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 175m 36s 
{color} | {color:green} root in the patch passed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 1m 
10s {color} | {color:green} Patch does not generate ASF License warnings. 
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 422m 55s {color} 
| {color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12802276/15767.v1.txt |
| JIRA Issue | HBASE-15767 |
| Optional Tests |  asflicense  javac  javadoc  unit  xml  compile  |
| uname | Linux asf909.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP 
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | 
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/test_framework/yetus-0.2.1/lib/precommit/personality/hbase.sh
 |
| git revision | master / d23d600 |
| Default Java | 1.7.0_79 |
| Multi-JDK versions |  /home/jenkins/tools/java/jdk1.8.0:1.8.0 
/usr/local/jenkins/java/jdk1.7.0_79:1.7.0_79 |
|  Test Results | 
https://builds.apache.org/job/PreCommit-HBASE-Build/1764/testReport/ |
| modules | C: hbase-server hbase-rest . U: . |
| Console output | 
https://builds.apache.org/job/PreCommit-HBASE-Build/1764/console |
| Powered by | Apache Yetus 0.2.1   http://yetus.apache.org |


This message was automatically generated.



> Upgrade httpclient dependency
> -----------------------------
>
>                 Key: HBASE-15767
>                 URL: https://issues.apache.org/jira/browse/HBASE-15767
>             Project: HBase
>          Issue Type: Improvement
>          Components: build, dependencies
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>             Fix For: 2.0.0
>
>         Attachments: 15767.v1.txt
>
>
> Currently commons-httpclient 3.1 is used.
> This is already end-of-life by apache.
> We should move to 4.3.6 or later.
> Details:
> https://issues.apache.org/jira/browse/HADOOP-12767
> https://issues.apache.org/jira/browse/HADOOP-10105
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : 
> http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents 
> HttpClient before 4.3.6 ignores the http. socket.timeout configuration 
> setting during an SSL handshake, which allows remote attackers to cause a 
> denial of service (HTTPS call hang) via unspecified vectors.
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
> Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service 
> (FPS) merchant Java SDK and other products, does not verify that the server 
> hostname matches a domain  name in the subject's Common Name (CN) or 
> subjectAltName field of the X.509 certificate, which allows man-in-the-middle 
> attackers to spoof SSL servers via an arbitrary valid certificate.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HBASE-15767) Upgrade httpclient dependency

Reply via email to