You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Sundaram, Ramakrishnan" <rs...@visa.com.INVALID> on 2021/12/15 21:32:34 UTC
Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Hi,
I see in HIVE-25804 and HIVE-25795, testutils/ptest2/pom.xml is not upgraded to latest versions.
Is this a miss? Or the change is not needed?
Regards,
Ram
Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Posted by "Sundaram, Ramakrishnan" <rs...@visa.com.INVALID>.
Thanks Brahma, this clarifies.
On 12/16/21, 12:23 AM, "Battula, Brahma Reddy" <bb...@visa.com.INVALID> wrote:
Yes, Looks PR Got raised for same which I missed earlier mail. Hopefully it will get merge soon.
And to answer your following question.
But not sure the change on below file:
ql/src/java/org/apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java
SlidingFilenameRolloverStrategy implements (inherit) DirectFileRolloverStrategy… As part of the following fix, clearCurrentFileName(.) is introduced in DirectFileRolloverStrategy, which is merged in 2.11.2 and 3.0.0 .. And we are migration from 2.8.2 hence this method is added.
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FLOG4J2-1906&data=04%7C01%7Crsundara%40visa.com%7C9ae92e2c3cb6444e927008d9c06d2025%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637752398061899342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bz4I1I8MRmNO5Cvvb%2BxdlT%2Fr2GEnB4eGYSeC4QT5jMg%3D&reserved=0
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Flogging-log4j2%2Fblob%2F42aa6aeb54a2d179b0271c09b450ca3d18c3a7a8%2Flog4j-core%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Flogging%2Flog4j%2Fcore%2Fappender%2Frolling%2FDirectFileRolloverStrategy.java%23L26&data=04%7C01%7Crsundara%40visa.com%7C9ae92e2c3cb6444e927008d9c06d2025%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637752398061899342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=P7ggyH%2BM8zp5Z5VZhBIyXBkcXqmQN7jeXLeInnIgSdg%3D&reserved=0
Hope this clarifies you.. And even you can ask in the PR’s, if you’ve any other doubts!!..
--Brahma Reddy Battula
From: Sundaram, Ramakrishnan <rs...@visa.com.INVALID>
Date: Thursday, 16 December 2021 at 11:48 AM
To: dev@hive.apache.org <de...@hive.apache.org>
Cc: security@hive.apache.org <se...@hive.apache.org>
Subject: Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Makes sense.
Also I see commit on branch-3: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fhive%2Fpull%2F2869%2Ffiles&data=04%7C01%7Crsundara%40visa.com%7C9ae92e2c3cb6444e927008d9c06d2025%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637752398061899342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=gjV1CyRE9k6z9ZZfPHMxnl5spCxQjexrU3BKxelwZmg%3D&reserved=0
Details:
------------------------------------
[hive] branch branch-3 updated: HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
ngangam pushed a commit to branch branch-3
in repository https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitbox.apache.org%2Frepos%2Fasf%2Fhive.git&data=04%7C01%7Crsundara%40visa.com%7C9ae92e2c3cb6444e927008d9c06d2025%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637752398061899342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nq15gSb5YJlsOl9PHOUw%2FjMGqThD9hE0FBtKfkX%2BssQ%3D&reserved=0
The following commit(s) were added to refs/heads/branch-3 by this push:
new 63a056a HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
63a056a is described below
commit 63a056ae87de739ba2ea66fd4001f529357a4aa1
Author: Naveen Gangam <ng...@cloudera.com>
AuthorDate: Wed Dec 15 15:57:45 2021 -0500
HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
------------------------------------------
But not sure the change on below file:
ql/src/java/org/apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java
Regards,
Ram
================================================
On 12/15/21, 8:29 PM, "Battula, Brahma Reddy" <bb...@visa.com.INVALID> wrote:
it’s committed only for master where we dn’t have this.
Only for branch-2 and branch-3, we need to handle this file. Please see, following discussion for same..
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fhive%2Fpull%2F2863&data=04%7C01%7Crsundara%40visa.com%7C9ae92e2c3cb6444e927008d9c06d2025%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637752398061899342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WEKL6TB8v1tIF4snIKu1ABwU4q%2B7gjevcZ%2F6tbII4Cc%3D&reserved=0
If you are interested, you raise PR for branch-2 and branc-3.
From: Sundaram, Ramakrishnan <rs...@visa.com.INVALID>
Date: Thursday, 16 December 2021 at 3:05 AM
To: dev@hive.apache.org <de...@hive.apache.org>
Cc: security@hive.apache.org <se...@hive.apache.org>
Subject: Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
+ security
From: "Sundaram, Ramakrishnan" <rs...@visa.com>
Date: Wednesday, December 15, 2021 at 1:32 PM
To: "dev@hive.apache.org" <de...@hive.apache.org>
Subject: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Hi,
I see in HIVE-25804 and HIVE-25795, testutils/ptest2/pom.xml is not upgraded to latest versions.
Is this a miss? Or the change is not needed?
Regards,
Ram
Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Posted by "Battula, Brahma Reddy" <bb...@visa.com.INVALID>.
Yes, Looks PR Got raised for same which I missed earlier mail. Hopefully it will get merge soon.
And to answer your following question.
But not sure the change on below file:
ql/src/java/org/apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java
SlidingFilenameRolloverStrategy implements (inherit) DirectFileRolloverStrategy… As part of the following fix, clearCurrentFileName(.) is introduced in DirectFileRolloverStrategy, which is merged in 2.11.2 and 3.0.0 .. And we are migration from 2.8.2 hence this method is added.
https://issues.apache.org/jira/browse/LOG4J2-1906
https://github.com/apache/logging-log4j2/blob/42aa6aeb54a2d179b0271c09b450ca3d18c3a7a8/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/rolling/DirectFileRolloverStrategy.java#L26
Hope this clarifies you.. And even you can ask in the PR’s, if you’ve any other doubts!!..
--Brahma Reddy Battula
From: Sundaram, Ramakrishnan <rs...@visa.com.INVALID>
Date: Thursday, 16 December 2021 at 11:48 AM
To: dev@hive.apache.org <de...@hive.apache.org>
Cc: security@hive.apache.org <se...@hive.apache.org>
Subject: Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Makes sense.
Also I see commit on branch-3: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fhive%2Fpull%2F2869%2Ffiles&data=04%7C01%7Cbbattula%40visa.com%7C83594aaff03c46434a2908d9c05bd413%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637752322905589191%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=tspHne30%2F3CSx8J9OmgU6EAtDTwoB0cWTNP4GsxGOwo%3D&reserved=0
Details:
------------------------------------
[hive] branch branch-3 updated: HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
ngangam pushed a commit to branch branch-3
in repository https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitbox.apache.org%2Frepos%2Fasf%2Fhive.git&data=04%7C01%7Cbbattula%40visa.com%7C83594aaff03c46434a2908d9c05bd413%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637752322905589191%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=QN%2BvgZrXE15rZ9LYcRiV7DHPRWoQPRGywtaX4KCtb4E%3D&reserved=0
The following commit(s) were added to refs/heads/branch-3 by this push:
new 63a056a HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
63a056a is described below
commit 63a056ae87de739ba2ea66fd4001f529357a4aa1
Author: Naveen Gangam <ng...@cloudera.com>
AuthorDate: Wed Dec 15 15:57:45 2021 -0500
HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
------------------------------------------
But not sure the change on below file:
ql/src/java/org/apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java
Regards,
Ram
================================================
On 12/15/21, 8:29 PM, "Battula, Brahma Reddy" <bb...@visa.com.INVALID> wrote:
it’s committed only for master where we dn’t have this.
Only for branch-2 and branch-3, we need to handle this file. Please see, following discussion for same..
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fhive%2Fpull%2F2863&data=04%7C01%7Cbbattula%40visa.com%7C83594aaff03c46434a2908d9c05bd413%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637752322905589191%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=j0Sibu5k6V1eYUijQLpjlI83j3I9Ci07Zo9t9gn4Zxo%3D&reserved=0
If you are interested, you raise PR for branch-2 and branc-3.
From: Sundaram, Ramakrishnan <rs...@visa.com.INVALID>
Date: Thursday, 16 December 2021 at 3:05 AM
To: dev@hive.apache.org <de...@hive.apache.org>
Cc: security@hive.apache.org <se...@hive.apache.org>
Subject: Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
+ security
From: "Sundaram, Ramakrishnan" <rs...@visa.com>
Date: Wednesday, December 15, 2021 at 1:32 PM
To: "dev@hive.apache.org" <de...@hive.apache.org>
Subject: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Hi,
I see in HIVE-25804 and HIVE-25795, testutils/ptest2/pom.xml is not upgraded to latest versions.
Is this a miss? Or the change is not needed?
Regards,
Ram
Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Posted by "Sundaram, Ramakrishnan" <rs...@visa.com.INVALID>.
Makes sense.
Also I see commit on branch-3: https://github.com/apache/hive/pull/2869/files
Details:
------------------------------------
[hive] branch branch-3 updated: HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
ngangam pushed a commit to branch branch-3
in repository https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitbox.apache.org%2Frepos%2Fasf%2Fhive.git&data=04%7C01%7Crsundara%40visa.com%7C035973489e42480b0a8408d9c00f8965%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637751995224639220%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3tXPArxsogUrBdW2yV6o2DSErLxbMRtfesoIjO16Lic%3D&reserved=0
The following commit(s) were added to refs/heads/branch-3 by this push:
new 63a056a HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
63a056a is described below
commit 63a056ae87de739ba2ea66fd4001f529357a4aa1
Author: Naveen Gangam <ng...@cloudera.com>
AuthorDate: Wed Dec 15 15:57:45 2021 -0500
HIVE-25795: Update log4j2 version to 2.16.0 for branch-3 (Naveen Gangam)
------------------------------------------
But not sure the change on below file:
ql/src/java/org/apache/hadoop/hive/ql/log/SlidingFilenameRolloverStrategy.java
Regards,
Ram
================================================
On 12/15/21, 8:29 PM, "Battula, Brahma Reddy" <bb...@visa.com.INVALID> wrote:
it’s committed only for master where we dn’t have this.
Only for branch-2 and branch-3, we need to handle this file. Please see, following discussion for same..
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fhive%2Fpull%2F2863&data=04%7C01%7Crsundara%40visa.com%7C1e0186e08c8b42d66eb908d9c04c926d%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637752257657443876%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=YPJ%2ByXk8vDDCiY1379vAu4sqV5NrKwo6BheYQLTD95U%3D&reserved=0
If you are interested, you raise PR for branch-2 and branc-3.
From: Sundaram, Ramakrishnan <rs...@visa.com.INVALID>
Date: Thursday, 16 December 2021 at 3:05 AM
To: dev@hive.apache.org <de...@hive.apache.org>
Cc: security@hive.apache.org <se...@hive.apache.org>
Subject: Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
+ security
From: "Sundaram, Ramakrishnan" <rs...@visa.com>
Date: Wednesday, December 15, 2021 at 1:32 PM
To: "dev@hive.apache.org" <de...@hive.apache.org>
Subject: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Hi,
I see in HIVE-25804 and HIVE-25795, testutils/ptest2/pom.xml is not upgraded to latest versions.
Is this a miss? Or the change is not needed?
Regards,
Ram
Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Posted by "Battula, Brahma Reddy" <bb...@visa.com.INVALID>.
it’s committed only for master where we dn’t have this.
Only for branch-2 and branch-3, we need to handle this file. Please see, following discussion for same..
https://github.com/apache/hive/pull/2863
If you are interested, you raise PR for branch-2 and branc-3.
From: Sundaram, Ramakrishnan <rs...@visa.com.INVALID>
Date: Thursday, 16 December 2021 at 3:05 AM
To: dev@hive.apache.org <de...@hive.apache.org>
Cc: security@hive.apache.org <se...@hive.apache.org>
Subject: Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
+ security
From: "Sundaram, Ramakrishnan" <rs...@visa.com>
Date: Wednesday, December 15, 2021 at 1:32 PM
To: "dev@hive.apache.org" <de...@hive.apache.org>
Subject: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Hi,
I see in HIVE-25804 and HIVE-25795, testutils/ptest2/pom.xml is not upgraded to latest versions.
Is this a miss? Or the change is not needed?
Regards,
Ram
Re: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Posted by "Sundaram, Ramakrishnan" <rs...@visa.com.INVALID>.
+ security
From: "Sundaram, Ramakrishnan" <rs...@visa.com>
Date: Wednesday, December 15, 2021 at 1:32 PM
To: "dev@hive.apache.org" <de...@hive.apache.org>
Subject: Regarding log4j2 upgrade: HIVE-25804, HIVE-25795 related to CVE-2021-44228
Hi,
I see in HIVE-25804 and HIVE-25795, testutils/ptest2/pom.xml is not upgraded to latest versions.
Is this a miss? Or the change is not needed?
Regards,
Ram