You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by mo...@apache.org on 2023/01/05 13:57:23 UTC
[doris] branch master updated: [vulnerability](CVE-2022-1292) fix CVE-2022-1292 (#15639)
This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 77ffafb766 [vulnerability](CVE-2022-1292) fix CVE-2022-1292 (#15639)
77ffafb766 is described below
commit 77ffafb766bff6714adcc03f06918541d7cf64bf
Author: Zhengguo Yang <ya...@gmail.com>
AuthorDate: Thu Jan 5 21:57:16 2023 +0800
[vulnerability](CVE-2022-1292) fix CVE-2022-1292 (#15639)
---
.../main/java/org/apache/doris/mysql/MysqlHandshakePacket.java | 4 +++-
.../java/org/apache/doris/mysql/MysqlHandshakePacketTest.java | 2 +-
thirdparty/CHANGELOG.md | 3 +++
thirdparty/vars.sh | 8 ++++----
4 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java
index 56649ac6df..209f9b81cf 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java
@@ -23,7 +23,9 @@ public class MysqlHandshakePacket extends MysqlPacket {
// Version of handshake packet, since MySQL 3.21.0, Handshake of protocol 10 is used
private static final int PROTOCOL_VERSION = 10;
// JDBC uses this version to check which protocol the server support
- public static final String SERVER_VERSION = "5.7.37";
+ // Set the patch version to 99 to prevent the vulnerability scanning tool from
+ // falsely reporting MySQL vulnerabilities
+ public static final String SERVER_VERSION = "5.7.99";
// 33 stands for UTF-8 character set
private static final int CHARACTER_SET = 33;
// use default capability for all
diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java
index 40d138f760..7637a8de66 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java
@@ -62,7 +62,7 @@ public class MysqlHandshakePacketTest {
// assert protocol version
Assert.assertEquals(10, MysqlProto.readInt1(buffer));
// server version
- Assert.assertEquals("5.7.37", new String(MysqlProto.readNulTerminateString(buffer)));
+ Assert.assertEquals("5.7.99", new String(MysqlProto.readNulTerminateString(buffer)));
// connection id
Assert.assertEquals(1090, MysqlProto.readInt4(buffer));
// plugin data 1
diff --git a/thirdparty/CHANGELOG.md b/thirdparty/CHANGELOG.md
index 7620e98d1e..c7f895965e 100644
--- a/thirdparty/CHANGELOG.md
+++ b/thirdparty/CHANGELOG.md
@@ -2,6 +2,9 @@
This file contains version of the third-party dependency libraries in the build-env image. The docker build-env image is apache/doris, and the tag is `build-env-${version}`
+## v20230105
+- Modified: openssl 1.1.1m -> 1.1.1s fix CVE-2022-1292
+
## v20221230
- Modified: libhdfs3 2.3.2 -> 2.3.4
diff --git a/thirdparty/vars.sh b/thirdparty/vars.sh
index 8e9551f79d..9a29d5bafb 100644
--- a/thirdparty/vars.sh
+++ b/thirdparty/vars.sh
@@ -61,10 +61,10 @@ LIBEVENT_SOURCE=libevent-release-2.1.12-stable
LIBEVENT_MD5SUM="0d5a27436bf7ff8253420c8cf09f47ca"
# openssl
-OPENSSL_DOWNLOAD="https://github.com/openssl/openssl/archive/OpenSSL_1_1_1m.tar.gz"
-OPENSSL_NAME=openssl-OpenSSL_1_1_1m.tar.gz
-OPENSSL_SOURCE=openssl-OpenSSL_1_1_1m
-OPENSSL_MD5SUM="710c2368d28f1a25ab92e25b5b9b11ec"
+OPENSSL_DOWNLOAD="https://github.com/openssl/openssl/archive/OpenSSL_1_1_1s.tar.gz"
+OPENSSL_NAME=openssl-OpenSSL_1_1_1s.tar.gz
+OPENSSL_SOURCE=openssl-OpenSSL_1_1_1s
+OPENSSL_MD5SUM="7e79a7560dee77c0758baa33c61af4b4"
# thrift
THRIFT_DOWNLOAD="http://archive.apache.org/dist/thrift/0.13.0/thrift-0.13.0.tar.gz"
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org