You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2020/04/24 22:48:26 UTC
[impala] 01/03: IMPALA-9647: Exclude fluent-hc-4.3.2.jar from
fe/pom.xml
This is an automated email from the ASF dual-hosted git repository.
tarmstrong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit 704ba38ae1b23d34829cf9a9b77f18b0b0235234
Author: David Knupp <dk...@cloudera.com>
AuthorDate: Mon Apr 20 10:17:29 2020 -0700
IMPALA-9647: Exclude fluent-hc-4.3.2.jar from fe/pom.xml
fluent-hc has been flagged in CVE-2014-3577 and CVE-2015-5262, and
doesn't seem to be a required component for us.
Tested first by confirming that the following line no longer shows
up in the output of mvn dependency:tree after the change:
+- org.apache.httpcomponents:fluent-hc:jar:4.3.2:compile
Then confirmed that upstream tests on jenkins.impala.io pass.
Change-Id: I245ddb50e17d49295b1a1ebaef6c17e1b92304f1
Reviewed-on: http://gerrit.cloudera.org:8080/15760
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
fe/pom.xml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fe/pom.xml b/fe/pom.xml
index d29c525..61e26a2 100644
--- a/fe/pom.xml
+++ b/fe/pom.xml
@@ -142,6 +142,11 @@ under the License.
<version>${hudi.version}</version>
<exclusions>
<exclusion>
+ <!-- IMPALA-9647 (re: CVE-2014-3577, CVE-2015-5262) -->
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>fluent-hc</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>org.apache.parquet</groupId>
<artifactId>parquet-avro</artifactId>
</exclusion>
@@ -751,6 +756,8 @@ under the License.
<exclude>org.apache.logging.log4j:log4j-1.2-api</exclude>
<!-- IMPALA-9108: Avoid pulling in leveldbjni, which is unneeded. -->
<exclude>org.fusesource.leveldbjni:*</exclude>
+ <!-- IMPALA-9647 (re: CVE-2014-3577, CVE-2015-5262) -->
+ <exclude>org.apache.httpcomponents:fluent-hc</exclude>
<!-- Assert that we only use artifacts from only the specified
version of these components. -->
<exclude>org.apache.hadoop:*</exclude>