You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Hive QA (Jira)" <ji...@apache.org> on 2020/05/30 17:17:00 UTC
[jira] [Commented] (HIVE-23583) Fix CVE-2020-1945: Apache Ant
insecure temporary file vulnerability by updating to latest ANT
[ https://issues.apache.org/jira/browse/HIVE-23583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17120318#comment-17120318 ]
Hive QA commented on HIVE-23583:
--------------------------------
Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/13004426/HIVE-23583.01.patch
{color:red}ERROR:{color} -1 due to no test(s) being added or modified.
{color:red}ERROR:{color} -1 due to 2 failed/errored test(s), 17216 tests executed
*Failed tests:*
{noformat}
org.apache.hadoop.hive.cli.TestMiniLlapLocalCliDriver.testCliDriver[schq_ingest] (batchId=95)
org.apache.hadoop.hive.metastore.security.TestZookeeperTokenStoreSSLEnabled.org.apache.hadoop.hive.metastore.security.TestZookeeperTokenStoreSSLEnabled (batchId=177)
{noformat}
Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/22695/testReport
Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/22695/console
Test logs: http://104.198.109.242/logs/PreCommit-HIVE-Build-22695/
Messages:
{noformat}
Executing org.apache.hive.ptest.execution.TestCheckPhase
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.YetusPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 2 tests failed
{noformat}
This message is automatically generated.
ATTACHMENT ID: 13004426 - PreCommit-HIVE-Build
> Fix CVE-2020-1945: Apache Ant insecure temporary file vulnerability by updating to latest ANT
> ---------------------------------------------------------------------------------------------
>
> Key: HIVE-23583
> URL: https://issues.apache.org/jira/browse/HIVE-23583
> Project: Hive
> Issue Type: Bug
> Affects Versions: 3.1.2
> Reporter: Renukaprasad C
> Assignee: Renukaprasad C
> Priority: Major
> Fix For: 4.0.0
>
> Attachments: HIVE-23583.01.patch
>
>
> Update ANT to fix:
> CVE-2020-1945: Apache Ant insecure temporary file vulnerability
> Severity: Medium
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7
> Description:
> Apache Ant uses the default temporary directory identified by the Java
> system property java.io.tmpdir for several tasks and may thus leak
> sensitive information. The fixcrlf and replaceregexp tasks also copy
> files from the temporary directory back into the build tree allowing an
> attacker to inject modified source files into the build process.
> Mitigation:
> Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the
> java.io.tmpdir system property to point to a directory only readable and
> writable by the current user prior to running Ant.
> Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile
> instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary
> files if the underlying filesystem allows it, but we still recommend
> using a private temporary directory instead.
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1945
> https://nvd.nist.gov/vuln/detail/CVE-2020-1945
--
This message was sent by Atlassian Jira
(v8.3.4#803005)