You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by Adam Roberts <AR...@uk.ibm.com> on 2016/02/08 18:16:30 UTC
Availability of Hive distribution with authorization fix
Hi, are there plans to release Hive 1.2.2 with the authorization fix
mentioned in www.openwall.com/lists/oss-security/2016/01/28/12?
The above CVE description mentions "This issue has already been patched in
all Hive branches that are affected, and any future release will not need
these mitigation steps."
I see the binaries were last updated on the 26th of June 2015 based on
http://mvnrepository.com/artifact/org.apache.hive/hive-exec/1.2.1 and the
Hive downloads page https://hive.apache.org/downloads.html, so AFAIK the
binaries haven't been updated and therefore any project depending on Hive
(e.g. Apache Spark which bundles classes from 1.2.1, which is impacted)
will download and bundle the unpatched and vulnerable Hive code.
I think I've found the right commit based on searching for "security" for
Hive commits on branch 1.2.1 since four months ago, it's dated after the
26th of June and hence my concern.
As updating the jar for 1.2.1 would add doubt over if the fix is available
in the jar or not, I think there should be a new minor release (let's say
1.2.2) to avoid this.
Cheers,
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU