[jira] [Updated] (HBASE-15767) Upgrade httpclient dependency

Thu, 05 May 2016 13:56:59 -0700 

     [ 
https://issues.apache.org/jira/browse/HBASE-15767?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sean Busbey updated HBASE-15767:
--------------------------------
      Resolution: Fixed
    Release Note: HBase now relies on version 4.3.6 of the Apache Commons 
HTTPClient library. Downstream users who are exposed to it via the HBase 
classpath will have to similarly update their dependency.
          Status: Resolved  (was: Patch Available)

+1, pushed to master. In the future please format patches according to the 
contributor guide so that it's easier for reviewers to pull things in during 
review periods.

> Upgrade httpclient dependency
> -----------------------------
>
>                 Key: HBASE-15767
>                 URL: https://issues.apache.org/jira/browse/HBASE-15767
>             Project: HBase
>          Issue Type: Improvement
>          Components: build, dependencies
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>             Fix For: 2.0.0
>
>         Attachments: 15767.v1.txt
>
>
> Currently commons-httpclient 3.1 is used.
> This is already end-of-life by apache.
> We should move to 4.3.6 or later.
> Details:
> https://issues.apache.org/jira/browse/HADOOP-12767
> https://issues.apache.org/jira/browse/HADOOP-10105
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : 
> http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents 
> HttpClient before 4.3.6 ignores the http. socket.timeout configuration 
> setting during an SSL handshake, which allows remote attackers to cause a 
> denial of service (HTTPS call hang) via unspecified vectors.
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783
> Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service 
> (FPS) merchant Java SDK and other products, does not verify that the server 
> hostname matches a domain  name in the subject's Common Name (CN) or 
> subjectAltName field of the X.509 certificate, which allows man-in-the-middle 
> attackers to spoof SSL servers via an arbitrary valid certificate.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to