You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by ya...@apache.org on 2023/01/06 01:28:34 UTC

[doris] branch branch-1.2-lts updated: [vulnerability](CVE-2022-1292) fix CVE-2022-1292 (#15639)

This is an automated email from the ASF dual-hosted git repository.

yangzhg pushed a commit to branch branch-1.2-lts
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-1.2-lts by this push:
     new 395a7487f9 [vulnerability](CVE-2022-1292) fix CVE-2022-1292 (#15639)
395a7487f9 is described below

commit 395a7487f91049aafe84e5b031b739fe1ab586a5
Author: Zhengguo Yang <ya...@gmail.com>
AuthorDate: Thu Jan 5 21:57:16 2023 +0800

    [vulnerability](CVE-2022-1292) fix CVE-2022-1292 (#15639)
---
 .../main/java/org/apache/doris/mysql/MysqlHandshakePacket.java    | 4 +++-
 .../java/org/apache/doris/mysql/MysqlHandshakePacketTest.java     | 2 +-
 thirdparty/CHANGELOG.md                                           | 3 +++
 thirdparty/vars.sh                                                | 8 ++++----
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java
index 56649ac6df..209f9b81cf 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java
@@ -23,7 +23,9 @@ public class MysqlHandshakePacket extends MysqlPacket {
     // Version of handshake packet, since MySQL 3.21.0, Handshake of protocol 10 is used
     private static final int PROTOCOL_VERSION = 10;
     // JDBC uses this version to check which protocol the server support
-    public static final String SERVER_VERSION = "5.7.37";
+    // Set the patch version to 99 to prevent the vulnerability scanning tool from
+    // falsely reporting MySQL vulnerabilities
+    public static final String SERVER_VERSION = "5.7.99";
     // 33 stands for UTF-8 character set
     private static final int CHARACTER_SET = 33;
     // use default capability for all
diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java
index 40d138f760..7637a8de66 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java
@@ -62,7 +62,7 @@ public class MysqlHandshakePacketTest {
         // assert protocol version
         Assert.assertEquals(10, MysqlProto.readInt1(buffer));
         // server version
-        Assert.assertEquals("5.7.37", new String(MysqlProto.readNulTerminateString(buffer)));
+        Assert.assertEquals("5.7.99", new String(MysqlProto.readNulTerminateString(buffer)));
         // connection id
         Assert.assertEquals(1090, MysqlProto.readInt4(buffer));
         // plugin data 1
diff --git a/thirdparty/CHANGELOG.md b/thirdparty/CHANGELOG.md
index 3850252282..b8a70fb55f 100644
--- a/thirdparty/CHANGELOG.md
+++ b/thirdparty/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 This file contains version of the third-party dependency libraries in the build-env image. The docker build-env image is apache/doris, and the tag is `build-env-${version}`
 
+## v20230105
+- Modified: openssl 1.1.1m -> 1.1.1s fix CVE-2022-1292
+
 ## v20221230
 - Modified: libhdfs 2.3.2 -> 2.3.4
 
diff --git a/thirdparty/vars.sh b/thirdparty/vars.sh
index dc59be7788..87b6cc49b0 100644
--- a/thirdparty/vars.sh
+++ b/thirdparty/vars.sh
@@ -61,10 +61,10 @@ LIBEVENT_SOURCE=libevent-release-2.1.12-stable
 LIBEVENT_MD5SUM="0d5a27436bf7ff8253420c8cf09f47ca"
 
 # openssl
-OPENSSL_DOWNLOAD="https://github.com/openssl/openssl/archive/OpenSSL_1_1_1m.tar.gz"
-OPENSSL_NAME=openssl-OpenSSL_1_1_1m.tar.gz
-OPENSSL_SOURCE=openssl-OpenSSL_1_1_1m
-OPENSSL_MD5SUM="710c2368d28f1a25ab92e25b5b9b11ec"
+OPENSSL_DOWNLOAD="https://github.com/openssl/openssl/archive/OpenSSL_1_1_1s.tar.gz"
+OPENSSL_NAME=openssl-OpenSSL_1_1_1s.tar.gz
+OPENSSL_SOURCE=openssl-OpenSSL_1_1_1s
+OPENSSL_MD5SUM="7e79a7560dee77c0758baa33c61af4b4"
 
 # thrift
 THRIFT_DOWNLOAD="http://archive.apache.org/dist/thrift/0.13.0/thrift-0.13.0.tar.gz"


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org