[
https://issues.apache.org/jira/browse/HADOOP-15504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16512978#comment-16512978
]
Sean Mackrory commented on HADOOP-15504:
----------------------------------------
All of the tests that fail pass for me locally and don't seem related to any
kind of maven or shading issue. I'll proceed to commit this soon if no one
objects. Thanks for the review [~ajisakaa]!
> Upgrade Maven and Maven Wagon versions
> --------------------------------------
>
> Key: HADOOP-15504
> URL: https://issues.apache.org/jira/browse/HADOOP-15504
> Project: Hadoop Common
> Issue Type: Bug
> Components: build
> Reporter: Sean Mackrory
> Assignee: Sean Mackrory
> Priority: Major
> Fix For: 3.2.0
>
> Attachments: HADOOP-15504.001.patch, HADOOP-15504.002.patch
>
>
> I'm not even sure that Hadoop's combination of the relevant dependencies is
> vulnerable (even if they are, this is a relatively minor vulnerability), but
> this is at least showing up as an issue in automated vulnerability scans.
> Details can be found here [https://maven.apache.org/security.html]
> (CVE-2013-0253, CVE-2012-6153). Essentially the combination of maven 3.0.4
> (we use 3.0, and I guess that maps to 3.0.4?) and older versions of wagon
> plugin don't use SSL properly (note that we neither use the WebDAV provider
> nor a 2.x version of the SSH plugin, which is why I suspect that the
> vulnerability does not affect Hadoop).
> I know some dependencies can be especially troublesome to upgrade - I suspect
> that Maven's critical role in our build might make this risky - so if anyone
> has ideas for how to more completely test this than a full build, please
> chime in,
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
