You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@drill.apache.org by GitBox <gi...@apache.org> on 2022/03/12 10:27:48 UTC

[GitHub] [drill] luocooong opened a new pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

luocooong opened a new pull request #2493:
URL: https://github.com/apache/drill/pull/2493


   # [DRILL-8164](https://issues.apache.org/jira/browse/DRILL-8164): Upgrade metadata-extractor because of CVE-2022-24613
   
   ## Description
   
   Also included the DRILL-8165 (Upgrade liquibase because of CVE-2022-0839).
   
   Please note that we should replace the `DatabaseFactory.getInstance()` with `Scope.getCurrentScope().getSingleton(DatabaseFactory.class)` once the following issue is resolved.
   
   https://github.com/liquibase/liquibase/issues/2349
   
   ## Documentation
   N/A
   
   ## Testing
   Use the CI.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] luocooong commented on pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

luocooong commented on pull request #2493:
URL: https://github.com/apache/drill/pull/2493#issuecomment-1072203334


   @jnturton Thanks for the question. Yes, version 2.16.0 could not resolve the safety issues. Actually, I hope that new progress will be made in the discussions [here](https://github.com/drewnoakes/metadata-extractor/issues/561), not that the issue has been put on hold.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] luocooong commented on a change in pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

luocooong commented on a change in pull request #2493:
URL: https://github.com/apache/drill/pull/2493#discussion_r833082032



##########
File path: metastore/rdbms-metastore/src/main/java/org/apache/drill/metastore/rdbms/RdbmsMetastore.java
##########
@@ -117,6 +117,8 @@ private HikariDataSource dataSource(DrillConfig config) {
   private void initTables(DataSource dataSource) {
     try (Connection connection = dataSource.getConnection()) {
       JdbcConnection jdbcConnection = new JdbcConnection(connection);
+      // TODO Replace the following steps with new function once this issue is resolved.

Review comment:
       @cgivre Thanks. If we need to merge this pull request now, should the title be replaced with: `Upgrade metadata-extractor to 2.16.0`? Because the reader author is not currently released a version higher than 2.16.0.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] luocooong commented on a change in pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

luocooong commented on a change in pull request #2493:
URL: https://github.com/apache/drill/pull/2493#discussion_r834253110



##########
File path: metastore/rdbms-metastore/src/main/java/org/apache/drill/metastore/rdbms/RdbmsMetastore.java
##########
@@ -117,6 +117,8 @@ private HikariDataSource dataSource(DrillConfig config) {
   private void initTables(DataSource dataSource) {
     try (Connection connection = dataSource.getConnection()) {
       JdbcConnection jdbcConnection = new JdbcConnection(connection);
+      // TODO Replace the following steps with new function once this issue is resolved.

Review comment:
       Thanks, let's hold-off the merge progress. Actually, I think this is a security issue with only a 50% probability, but in the latest responses from the reporting group, they point out that it can be exploited and attacked.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] luocooong commented on pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

luocooong commented on pull request #2493:
URL: https://github.com/apache/drill/pull/2493#issuecomment-1072203334


   @jnturton Thanks for the question. Yes, version 2.16.0 could not resolve the safety issues. Actually, I hope that new progress will be made in the discussions [here](https://github.com/drewnoakes/metadata-extractor/issues/561), not that the issue has been put on hold.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] cgivre commented on a change in pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

cgivre commented on a change in pull request #2493:
URL: https://github.com/apache/drill/pull/2493#discussion_r833234640



##########
File path: metastore/rdbms-metastore/src/main/java/org/apache/drill/metastore/rdbms/RdbmsMetastore.java
##########
@@ -117,6 +117,8 @@ private HikariDataSource dataSource(DrillConfig config) {
   private void initTables(DataSource dataSource) {
     try (Connection connection = dataSource.getConnection()) {
       JdbcConnection jdbcConnection = new JdbcConnection(connection);
+      // TODO Replace the following steps with new function once this issue is resolved.

Review comment:
       @luocooong Let's hold off on merging to see if they release a new version.  I'm actually not so sure that this is actually an issue.  If you look at the report, the CVE seems like it was derived from a bug list rather than a vulnerability. 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] cgivre commented on a change in pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

cgivre commented on a change in pull request #2493:
URL: https://github.com/apache/drill/pull/2493#discussion_r832193471



##########
File path: metastore/rdbms-metastore/src/main/java/org/apache/drill/metastore/rdbms/RdbmsMetastore.java
##########
@@ -117,6 +117,8 @@ private HikariDataSource dataSource(DrillConfig config) {
   private void initTables(DataSource dataSource) {
     try (Connection connection = dataSource.getConnection()) {
       JdbcConnection jdbcConnection = new JdbcConnection(connection);
+      // TODO Replace the following steps with new function once this issue is resolved.

Review comment:
       @luocooong There seems to be a silly merge conflict with a code comment.  Would you mind taking a look and then we can merge?
   Thanks!




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] cgivre merged pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

cgivre merged pull request #2493:
URL: https://github.com/apache/drill/pull/2493


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] jnturton commented on pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

jnturton commented on pull request #2493:
URL: https://github.com/apache/drill/pull/2493#issuecomment-1068970869


   Unfortunately I think that metadata-extractor 2.16 is still vulnerable to CVE-2022-24613 and I cannot see any newer version.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] cgivre commented on a change in pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

cgivre commented on a change in pull request #2493:
URL: https://github.com/apache/drill/pull/2493#discussion_r831198283



##########
File path: metastore/rdbms-metastore/src/main/java/org/apache/drill/metastore/rdbms/RdbmsMetastore.java
##########
@@ -117,6 +117,8 @@ private HikariDataSource dataSource(DrillConfig config) {
   private void initTables(DataSource dataSource) {
     try (Connection connection = dataSource.getConnection()) {
       JdbcConnection jdbcConnection = new JdbcConnection(connection);
+      // TODO Replace the following steps with new function once this issue is resolved.

Review comment:
       Actually... I think rebasing will solve this.   Please rebase on current master with the liquibase PR merged, and then it's good to go. 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [drill] cgivre commented on a change in pull request #2493: DRILL-8164: Upgrade metadata-extractor because of CVE-2022-24613

Posted by GitBox <gi...@apache.org>.

cgivre commented on a change in pull request #2493:
URL: https://github.com/apache/drill/pull/2493#discussion_r831196452



##########
File path: metastore/rdbms-metastore/src/main/java/org/apache/drill/metastore/rdbms/RdbmsMetastore.java
##########
@@ -117,6 +117,8 @@ private HikariDataSource dataSource(DrillConfig config) {
   private void initTables(DataSource dataSource) {
     try (Connection connection = dataSource.getConnection()) {
       JdbcConnection jdbcConnection = new JdbcConnection(connection);
+      // TODO Replace the following steps with new function once this issue is resolved.

Review comment:
       Could you please open a JIRA with this issue and reference here?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org