You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@bigtop.apache.org by GitBox <gi...@apache.org> on 2021/12/19 06:51:10 UTC

[GitHub] [bigtop] iwasakims commented on a change in pull request #844: BIGTOP-3613 - Upgrade hive 2.3.6 to log4j 2.16.0

iwasakims commented on a change in pull request #844:
URL: https://github.com/apache/bigtop/pull/844#discussion_r771905476



##########
File path: bigtop-packages/src/common/hive/patch7-log4j2-2.16.0.diff
##########
@@ -0,0 +1,167 @@
+diff --git a/bin/hive-config.sh b/bin/hive-config.sh
+index d52b84eb5f..8381a25a05 100644
+--- a/bin/hive-config.sh
++++ b/bin/hive-config.sh
+@@ -68,3 +68,7 @@ export HIVE_AUX_JARS_PATH=$HIVE_AUX_JARS_PATH
+ 
+ # Default to use 256MB 
+ export HADOOP_HEAPSIZE=${HADOOP_HEAPSIZE:-256}
++
++# Disable the JNDI. This feature has critical RCE vulnerability.
++# when 2.x <= log4j.version <= 2.14.1
++export HADOOP_CLIENT_OPTS="$HADOOP_CLIENT_OPTS -Dlog4j2.formatMsgNoLookups=true"
+diff --git a/druid-handler/pom.xml b/druid-handler/pom.xml
+index 4af3d5f00b..349be6628d 100644
+--- a/druid-handler/pom.xml
++++ b/druid-handler/pom.xml
+@@ -223,6 +223,11 @@
+       <artifactId>calcite-druid</artifactId>
+       <version>${calcite.version}</version>
+     </dependency>
++    <dependency>
++      <groupId>com.lmax</groupId>
++      <artifactId>disruptor</artifactId>
++      <version>${disruptor.version}</version>
++    </dependency>
+     <!-- test inter-project -->
+     <dependency>
+       <groupId>junit</groupId>
+diff --git a/hbase-handler/pom.xml b/hbase-handler/pom.xml
+index 9b12f42651..0f009b6792 100644
+--- a/hbase-handler/pom.xml
++++ b/hbase-handler/pom.xml
+@@ -102,6 +102,11 @@
+       <artifactId>hbase-hadoop-compat</artifactId>
+       <version>${hbase.version}</version>
+     </dependency>
++    <dependency>
++      <groupId>com.lmax</groupId>
++      <artifactId>disruptor</artifactId>
++      <version>${disruptor.version}</version>
++    </dependency>
+ 
+     <!-- test inter-project -->
+     <dependency>
+diff --git a/jdbc/pom.xml b/jdbc/pom.xml
+index 45d9a733b4..d303de1645 100644
+--- a/jdbc/pom.xml
++++ b/jdbc/pom.xml
+@@ -109,6 +109,11 @@
+       <version>${hadoop.version}</version>
+       <optional>true</optional>
+     </dependency>
++    <dependency>
++      <groupId>com.lmax</groupId>
++      <artifactId>disruptor</artifactId>
++      <version>${disruptor.version}</version>
++    </dependency>
+     <!-- test inter-project -->
+     <dependency>
+       <groupId>junit</groupId>

Review comment:
       hive-jdbc seems to depend on disruptor via hive-llap-server. If we modify llap-server/pom.xml, we do not need fix jdbc/pom.xml?
   
   ```
   [INFO] org.apache.hive:hive-jdbc:jar:2.3.6
   ...
   [INFO] +- org.apache.hive:hive-service:jar:2.3.6:compile
   [INFO] |  +- org.apache.hive:hive-llap-server:jar:2.3.6:compile
   ...
   [INFO] |  |  +- org.apache.hbase:hbase-server:jar:1.5.0:compile
   [INFO] |  |  |  +- org.apache.hbase:hbase-procedure:jar:1.5.0:compile
   ...
   [INFO] |  |  |  \- com.lmax:disruptor:jar:3.3.0:compile
   ```
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@bigtop.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org