You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "Steve Vaughan (Jira)" <ji...@apache.org> on 2022/06/27 18:15:00 UTC
[jira] [Created] (YARN-11199) Replace htrace-core with hbase-noop-htrace for CVE-2018-7489
Steve Vaughan created YARN-11199:
------------------------------------
Summary: Replace htrace-core with hbase-noop-htrace for CVE-2018-7489
Key: YARN-11199
URL: https://issues.apache.org/jira/browse/YARN-11199
Project: Hadoop YARN
Issue Type: Improvement
Components: timelineservice
Affects Versions: 3.4.0, 3.3.9, 3.3.4
Environment: The build was performed using the Hadoop development environment.
Reporter: Steve Vaughan
Distributions of Hadoop still contain htrace, which is a critical CVE-2018-7489 concerning FasterXML jackson-databind. This can be addressed by replacing `htrace-core` with `hbase-noop-htrace` in Hadoop builds. I'll extract this from [HADOOP-18311|https://issues.apache.org/jira/browse/HADOOP-18311].
Downloading the published 3.3.3 distribution we can find htrace-core:
{code:java}
% tar -tzf ~/Downloads/hadoop-3.3.3.tar.gz | grep htrace
hadoop-3.3.3/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar{code}
It also appears in builds of trunk
{noformat}
% mvn -nsu clean install -Pdist,native -Drequire.snappy -Drequire.zstd -Drequire.openssl -Drequire.isal -DskipTests -Dtar -Dmaven.javadoc.skip=true
[...]
% tar -tzf hadoop-dist/target/hadoop-3.4.0-SNAPSHOT.tar.gz | grep htrace
hadoop-3.4.0-SNAPSHOT/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar{noformat}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org