You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by GitBox <gi...@apache.org> on 2022/05/03 11:06:38 UTC
[GitHub] [camel-quarkus] ppalaga opened a new issue, #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
ppalaga opened a new issue, #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763
See https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz
We should avoid using `org.apache.hadoop:hadoop-common` older than 3.2.3
```
$ mvn org.l2x6.cq:cq-prod-maven-plugin:2.23.0:find-dependency -N -e '-Dcq.gavPattern=org.apache.hadoop:hadoop-common'
...
[WARNING] Found org.apache.camel.quarkus:camel-quarkus-hbase:2.9.0-SNAPSHOT:jar:
-> org.apache.camel:camel-hbase:3.16.0:jar:
-> org.apache.hbase:hbase-client:2.4.10:jar:
-> org.apache.hadoop:hadoop-common:2.10.0:jar:
...
[WARNING] Found org.apache.camel.quarkus:camel-quarkus-hdfs:2.9.0-SNAPSHOT:jar:
-> org.apache.camel:camel-hdfs:3.16.0:jar:
-> org.apache.hadoop:hadoop-common:3.3.2:jar:
...
[WARNING] Found org.apache.camel.quarkus:camel-quarkus-spark:2.9.0-SNAPSHOT:jar:
-> org.apache.camel:camel-spark:3.16.0:jar:
-> org.apache.hadoop:hadoop-common:3.3.2:jar:
...
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] jamesnetherton commented on issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
jamesnetherton commented on issue #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763#issuecomment-1172067779
I wonder if we should deprecate and remove `hdfs` & `hbase`? Hadoop is a massive bucket of stuff that seems to have no real dependency alignment or convergence management. Coupled with the fact these extensions are using different Hadoop versions, it makes maintaining them quite painful.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] aldettinger commented on issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
aldettinger commented on issue #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763#issuecomment-1326190424
There was discussion in camel upstream to talk about deprecating spark, hbase and hdfs:
+ camel-spark (will be deprecated in camel, already removed in camel-quarkus)
+ camel-hbase (will be deprecated in camel, we could deprecate as well in camel-quarkus)
Concerning camel-hdfs, the deprecation is reported in camel as there is community interest.
Now come the question of the maintenance in camel-quarkus:
+ This CVE should be fixed
+ I think we would have a single hadoop version left as we remove hbase
+ However I don't know how bad alignement/convergence could still be
At this stage, I would report the deprecation of camel-quarkus-hdfs and reconsider when we hit another big maintenance issue.
@jamesnetherton @ppalaga What do you think ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] zbendhiba commented on issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
zbendhiba commented on issue #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763#issuecomment-1327163962
+1 for deprecating
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] aldettinger commented on issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
aldettinger commented on issue #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763#issuecomment-1371069940
hbase has been deprecated in camel-quarkus commit https://github.com/apache/camel-quarkus/commit/bbbee804a215072c217912ffbf922a2438453c52
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] jamesnetherton commented on issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
jamesnetherton commented on issue #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763#issuecomment-1176671664
> What would you think about deprecating the `spark` extension too ?
We already removed Spark in 2.10.0 👍
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] ppalaga commented on issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
ppalaga commented on issue #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763#issuecomment-1326363878
+1 for deprecating both hdfs and hbase
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] aldettinger closed issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
aldettinger closed issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
URL: https://github.com/apache/camel-quarkus/issues/3763
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] aldettinger commented on issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
aldettinger commented on issue #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763#issuecomment-1326731347
Ok, let's deprecate both in Camel Quarkus then. We could come back if there is a strong community involvement to narrow down the maintenance burden in the future.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] ppalaga commented on issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
ppalaga commented on issue #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763#issuecomment-1178975678
> I wonder if we should deprecate and remove hdfs & hbase? Hadoop is a massive bucket of stuff that seems to have no real dependency alignment or convergence management. Coupled with the fact these extensions are using different Hadoop versions, it makes maintaining them quite painful.
I agree they are hard to maintain. Do you know if there were any discussions on Camel level to remove those? Ideally they should be agreed for deprecation and removal in Camel.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [camel-quarkus] aldettinger commented on issue #3763: CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows
Posted by GitBox <gi...@apache.org>.
aldettinger commented on issue #3763:
URL: https://github.com/apache/camel-quarkus/issues/3763#issuecomment-1176615371
I agree we should deprecate them. Plus the hadoop community is not responsive about security. Plus we are relying on old versions without possibility to upgrade (at least for hbase).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org