You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2020/04/24 22:48:26 UTC

[impala] 01/03: IMPALA-9647: Exclude fluent-hc-4.3.2.jar from fe/pom.xml

This is an automated email from the ASF dual-hosted git repository.

tarmstrong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit 704ba38ae1b23d34829cf9a9b77f18b0b0235234
Author: David Knupp <dk...@cloudera.com>
AuthorDate: Mon Apr 20 10:17:29 2020 -0700

    IMPALA-9647: Exclude fluent-hc-4.3.2.jar from fe/pom.xml
    
    fluent-hc has been flagged in CVE-2014-3577 and CVE-2015-5262, and
    doesn't seem to be a required component for us.
    
    Tested first by confirming that the following line no longer shows
    up in the output of mvn dependency:tree after the change:
    
      +- org.apache.httpcomponents:fluent-hc:jar:4.3.2:compile
    
    Then confirmed that upstream tests on jenkins.impala.io pass.
    
    Change-Id: I245ddb50e17d49295b1a1ebaef6c17e1b92304f1
    Reviewed-on: http://gerrit.cloudera.org:8080/15760
    Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
 fe/pom.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fe/pom.xml b/fe/pom.xml
index d29c525..61e26a2 100644
--- a/fe/pom.xml
+++ b/fe/pom.xml
@@ -142,6 +142,11 @@ under the License.
       <version>${hudi.version}</version>
         <exclusions>
           <exclusion>
+            <!-- IMPALA-9647 (re: CVE-2014-3577, CVE-2015-5262) -->
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>fluent-hc</artifactId>
+          </exclusion>
+          <exclusion>
             <groupId>org.apache.parquet</groupId>
             <artifactId>parquet-avro</artifactId>
           </exclusion>
@@ -751,6 +756,8 @@ under the License.
                     <exclude>org.apache.logging.log4j:log4j-1.2-api</exclude>
                     <!-- IMPALA-9108: Avoid pulling in leveldbjni, which is unneeded. -->
                     <exclude>org.fusesource.leveldbjni:*</exclude>
+                    <!-- IMPALA-9647 (re: CVE-2014-3577, CVE-2015-5262) -->
+                    <exclude>org.apache.httpcomponents:fluent-hc</exclude>
                     <!-- Assert that we only use artifacts from only the specified
                          version of these components. -->
                     <exclude>org.apache.hadoop:*</exclude>