You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2016/05/26 13:13:13 UTC
[jira] [Commented] (OOZIE-2538) Update HttpClient versions to close
security vulnerabilities
[ https://issues.apache.org/jira/browse/OOZIE-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15302052#comment-15302052 ]
Hadoop QA commented on OOZIE-2538:
----------------------------------
Testing JIRA OOZIE-2538
Cleaning local git workspace
----------------------------
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
. {color:green}+1{color} the patch does not introduce any @author tags
. {color:green}+1{color} the patch does not introduce any tabs
. {color:green}+1{color} the patch does not introduce any trailing spaces
. {color:green}+1{color} the patch does not introduce any line longer than 132
. {color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
. {color:green}+1{color} the patch does not seem to introduce new RAT warnings
{color:green}+1 JAVADOC{color}
. {color:green}+1{color} the patch does not seem to introduce new Javadoc warnings
{color:green}+1 COMPILE{color}
. {color:green}+1{color} HEAD compiles
. {color:green}+1{color} patch compiles
. {color:green}+1{color} the patch does not seem to introduce new javac warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
. {color:green}+1{color} the patch does not change any JPA Entity/Colum/Basic/Lob/Transient annotations
. {color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
. Tests run: 1780
. Tests failed: 2
. Tests errors: 0
. The patch failed the following testcases:
. testSubWorkflowRerun(org.apache.oozie.action.oozie.TestSubWorkflowActionExecutor)
. testNone(org.apache.oozie.command.coord.TestCoordActionInputCheckXCommand)
{color:green}+1 DISTRO{color}
. {color:green}+1{color} distro tarball builds with the patch
----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/oozie-trunk-precommit-build/2907/
> Update HttpClient versions to close security vulnerabilities
> ------------------------------------------------------------
>
> Key: OOZIE-2538
> URL: https://issues.apache.org/jira/browse/OOZIE-2538
> Project: Oozie
> Issue Type: Bug
> Components: core
> Reporter: abhishek bafna
> Assignee: abhishek bafna
> Attachments: OOZIE-2538.patch
>
>
> We learned that
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
> Also, Commons HttpClient project is now end of life, and is no longer being developed. It has been replaced by the Apache HttpComponents project in its HttpClient and HttpCore modules, which offer better performance and more flexibility. http://hc.apache.org/httpclient-3.x/
> Hence, HttpClient version should be updated.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)