[jira] [Commented] (HADOOP-18922) Race condition in ZKDelegationTokenSecretManager creating znode
[ https://issues.apache.org/jira/browse/HADOOP-18922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17774594#comment-17774594 ] Kevin Risden commented on HADOOP-18922: --- branch-3.3 PR - https://github.com/apache/hadoop/pull/6179 > Race condition in ZKDelegationTokenSecretManager creating znode > --- > > Key: HADOOP-18922 > URL: https://issues.apache.org/jira/browse/HADOOP-18922 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 3.4.0, 3.3.6 >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Labels: pull-request-available > Fix For: 3.4.0 > > > When multiple nodes come up at the same time, there is a race condition in > ZKDelegationTokenSecretManager since the exists and create check do not mean > that the znode was created in the meantime. HADOOP-18452 tried to fix this > but the issue still exists. > A better fix would be to catch the > https://zookeeper.apache.org/doc/r3.9.0/apidocs/zookeeper-server/org/apache/zookeeper/KeeperException.NodeExistsException.html > if the create fails when the znode already exists. This would eliminate the > race condition. > {code:java} > 236 ERROR (jetty-launcher-8-thread-1) [n:127.0.0.1:56203_solr] > o.a.s.s.CoreContainerProvider Could not start Solr. Check solr/home property > and the logs > => java.lang.RuntimeException: Could not start class > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager$ZKSecretManager: > java.io.IOException: Could not create namespace > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager.init(DelegationTokenManager.java:149) > java.lang.RuntimeException: Could not start class > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager$ZKSecretManager: > java.io.IOException: Could not create namespace > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager.init(DelegationTokenManager.java:149) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.initTokenManager(DelegationTokenAuthenticationHandler.java:163) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.init(DelegationTokenAuthenticationHandler.java:131) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeAuthHandler(AuthenticationFilter.java:194) > ~[hadoop-auth-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.initializeAuthHandler(DelegationTokenAuthenticationFilter.java:215) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.solr.security.hadoop.HadoopAuthFilter.initializeAuthHandler(HadoopAuthFilter.java:124) > ~[main/:?] > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:180) > ~[hadoop-auth-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.init(DelegationTokenAuthenticationFilter.java:181) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.solr.security.hadoop.HadoopAuthFilter.init(HadoopAuthFilter.java:75) > ~[main/:?] > at > org.apache.solr.security.hadoop.HadoopAuthPlugin.init(HadoopAuthPlugin.java:135) > ~[main/:?] > at > org.apache.solr.core.CoreContainer.initializeAuthenticationPlugin(CoreContainer.java:569) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.core.CoreContainer.reloadSecurityProperties(CoreContainer.java:1185) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.core.CoreContainer.loadInternal(CoreContainer.java:854) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at org.apache.solr.core.CoreContainer.load(CoreContainer.java:763) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.servlet.CoreContainerProvider.createCoreContainer(CoreContainerProvider.java:427) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.servlet.CoreContainerProvider.init(CoreContainerProvider.java:246) > [solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapsh
[jira] [Commented] (HADOOP-18922) Race condition in ZKDelegationTokenSecretManager creating znode
[ https://issues.apache.org/jira/browse/HADOOP-18922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17774586#comment-17774586 ] Kevin Risden commented on HADOOP-18922: --- This was introduced in 3.3.6 so if there is going to be a 3.3.7/3.3.8 then branch-3.3 makes sense. I can open another PR if thats how to best handle it. It should cherry pick cleanly. > Race condition in ZKDelegationTokenSecretManager creating znode > --- > > Key: HADOOP-18922 > URL: https://issues.apache.org/jira/browse/HADOOP-18922 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 3.4.0, 3.3.6 >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Labels: pull-request-available > Fix For: 3.4.0 > > > When multiple nodes come up at the same time, there is a race condition in > ZKDelegationTokenSecretManager since the exists and create check do not mean > that the znode was created in the meantime. HADOOP-18452 tried to fix this > but the issue still exists. > A better fix would be to catch the > https://zookeeper.apache.org/doc/r3.9.0/apidocs/zookeeper-server/org/apache/zookeeper/KeeperException.NodeExistsException.html > if the create fails when the znode already exists. This would eliminate the > race condition. > {code:java} > 236 ERROR (jetty-launcher-8-thread-1) [n:127.0.0.1:56203_solr] > o.a.s.s.CoreContainerProvider Could not start Solr. Check solr/home property > and the logs > => java.lang.RuntimeException: Could not start class > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager$ZKSecretManager: > java.io.IOException: Could not create namespace > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager.init(DelegationTokenManager.java:149) > java.lang.RuntimeException: Could not start class > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager$ZKSecretManager: > java.io.IOException: Could not create namespace > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager.init(DelegationTokenManager.java:149) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.initTokenManager(DelegationTokenAuthenticationHandler.java:163) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.init(DelegationTokenAuthenticationHandler.java:131) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeAuthHandler(AuthenticationFilter.java:194) > ~[hadoop-auth-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.initializeAuthHandler(DelegationTokenAuthenticationFilter.java:215) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.solr.security.hadoop.HadoopAuthFilter.initializeAuthHandler(HadoopAuthFilter.java:124) > ~[main/:?] > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:180) > ~[hadoop-auth-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.init(DelegationTokenAuthenticationFilter.java:181) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.solr.security.hadoop.HadoopAuthFilter.init(HadoopAuthFilter.java:75) > ~[main/:?] > at > org.apache.solr.security.hadoop.HadoopAuthPlugin.init(HadoopAuthPlugin.java:135) > ~[main/:?] > at > org.apache.solr.core.CoreContainer.initializeAuthenticationPlugin(CoreContainer.java:569) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.core.CoreContainer.reloadSecurityProperties(CoreContainer.java:1185) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.core.CoreContainer.loadInternal(CoreContainer.java:854) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at org.apache.solr.core.CoreContainer.load(CoreContainer.java:763) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.servlet.CoreContainerProvider.createCoreContainer(CoreContainerProvider.java:427) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.servlet.CoreContainerProvider.init(CoreCo
[jira] [Updated] (HADOOP-18922) Race condition in ZKDelegationTokenSecretManager creating znode
[ https://issues.apache.org/jira/browse/HADOOP-18922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated HADOOP-18922: -- Status: Patch Available (was: Open) PR https://github.com/apache/hadoop/pull/6150 > Race condition in ZKDelegationTokenSecretManager creating znode > --- > > Key: HADOOP-18922 > URL: https://issues.apache.org/jira/browse/HADOOP-18922 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 3.3.6, 3.4.0 >Reporter: Kevin Risden >Priority: Major > Labels: pull-request-available > > When multiple nodes come up at the same time, there is a race condition in > ZKDelegationTokenSecretManager since the exists and create check do not mean > that the znode was created in the meantime. HADOOP-18452 tried to fix this > but the issue still exists. > A better fix would be to catch the > https://zookeeper.apache.org/doc/r3.9.0/apidocs/zookeeper-server/org/apache/zookeeper/KeeperException.NodeExistsException.html > if the create fails when the znode already exists. This would eliminate the > race condition. > {code:java} > 236 ERROR (jetty-launcher-8-thread-1) [n:127.0.0.1:56203_solr] > o.a.s.s.CoreContainerProvider Could not start Solr. Check solr/home property > and the logs > => java.lang.RuntimeException: Could not start class > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager$ZKSecretManager: > java.io.IOException: Could not create namespace > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager.init(DelegationTokenManager.java:149) > java.lang.RuntimeException: Could not start class > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager$ZKSecretManager: > java.io.IOException: Could not create namespace > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenManager.init(DelegationTokenManager.java:149) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.initTokenManager(DelegationTokenAuthenticationHandler.java:163) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.init(DelegationTokenAuthenticationHandler.java:131) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeAuthHandler(AuthenticationFilter.java:194) > ~[hadoop-auth-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.initializeAuthHandler(DelegationTokenAuthenticationFilter.java:215) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.solr.security.hadoop.HadoopAuthFilter.initializeAuthHandler(HadoopAuthFilter.java:124) > ~[main/:?] > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:180) > ~[hadoop-auth-3.3.6.jar:?] > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.init(DelegationTokenAuthenticationFilter.java:181) > ~[hadoop-common-3.3.6.jar:?] > at > org.apache.solr.security.hadoop.HadoopAuthFilter.init(HadoopAuthFilter.java:75) > ~[main/:?] > at > org.apache.solr.security.hadoop.HadoopAuthPlugin.init(HadoopAuthPlugin.java:135) > ~[main/:?] > at > org.apache.solr.core.CoreContainer.initializeAuthenticationPlugin(CoreContainer.java:569) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.core.CoreContainer.reloadSecurityProperties(CoreContainer.java:1185) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.core.CoreContainer.loadInternal(CoreContainer.java:854) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at org.apache.solr.core.CoreContainer.load(CoreContainer.java:763) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.servlet.CoreContainerProvider.createCoreContainer(CoreContainerProvider.java:427) > ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.servlet.CoreContainerProvider.init(CoreContainerProvider.java:246) > [solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT > a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] > at > org.apache.solr.embedded.JettySolrRunner$1.lifeCycleSt
[jira] [Created] (HADOOP-18922) Race condition in ZKDelegationTokenSecretManager creating znode
Kevin Risden created HADOOP-18922: - Summary: Race condition in ZKDelegationTokenSecretManager creating znode Key: HADOOP-18922 URL: https://issues.apache.org/jira/browse/HADOOP-18922 Project: Hadoop Common Issue Type: Bug Components: common Affects Versions: 3.3.6, 3.4.0 Reporter: Kevin Risden When multiple nodes come up at the same time, there is a race condition in ZKDelegationTokenSecretManager since the exists and create check do not mean that the znode was created in the meantime. HADOOP-18452 tried to fix this but the issue still exists. A better fix would be to catch the https://zookeeper.apache.org/doc/r3.9.0/apidocs/zookeeper-server/org/apache/zookeeper/KeeperException.NodeExistsException.html if the create fails when the znode already exists. This would eliminate the race condition. {code:java} 236 ERROR (jetty-launcher-8-thread-1) [n:127.0.0.1:56203_solr] o.a.s.s.CoreContainerProvider Could not start Solr. Check solr/home property and the logs => java.lang.RuntimeException: Could not start class org.apache.hadoop.security.token.delegation.web.DelegationTokenManager$ZKSecretManager: java.io.IOException: Could not create namespace at org.apache.hadoop.security.token.delegation.web.DelegationTokenManager.init(DelegationTokenManager.java:149) java.lang.RuntimeException: Could not start class org.apache.hadoop.security.token.delegation.web.DelegationTokenManager$ZKSecretManager: java.io.IOException: Could not create namespace at org.apache.hadoop.security.token.delegation.web.DelegationTokenManager.init(DelegationTokenManager.java:149) ~[hadoop-common-3.3.6.jar:?] at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.initTokenManager(DelegationTokenAuthenticationHandler.java:163) ~[hadoop-common-3.3.6.jar:?] at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.init(DelegationTokenAuthenticationHandler.java:131) ~[hadoop-common-3.3.6.jar:?] at org.apache.hadoop.security.authentication.server.AuthenticationFilter.initializeAuthHandler(AuthenticationFilter.java:194) ~[hadoop-auth-3.3.6.jar:?] at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.initializeAuthHandler(DelegationTokenAuthenticationFilter.java:215) ~[hadoop-common-3.3.6.jar:?] at org.apache.solr.security.hadoop.HadoopAuthFilter.initializeAuthHandler(HadoopAuthFilter.java:124) ~[main/:?] at org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:180) ~[hadoop-auth-3.3.6.jar:?] at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.init(DelegationTokenAuthenticationFilter.java:181) ~[hadoop-common-3.3.6.jar:?] at org.apache.solr.security.hadoop.HadoopAuthFilter.init(HadoopAuthFilter.java:75) ~[main/:?] at org.apache.solr.security.hadoop.HadoopAuthPlugin.init(HadoopAuthPlugin.java:135) ~[main/:?] at org.apache.solr.core.CoreContainer.initializeAuthenticationPlugin(CoreContainer.java:569) ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] at org.apache.solr.core.CoreContainer.reloadSecurityProperties(CoreContainer.java:1185) ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] at org.apache.solr.core.CoreContainer.loadInternal(CoreContainer.java:854) ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] at org.apache.solr.core.CoreContainer.load(CoreContainer.java:763) ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] at org.apache.solr.servlet.CoreContainerProvider.createCoreContainer(CoreContainerProvider.java:427) ~[solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] at org.apache.solr.servlet.CoreContainerProvider.init(CoreContainerProvider.java:246) [solr-core-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] at org.apache.solr.embedded.JettySolrRunner$1.lifeCycleStarted(JettySolrRunner.java:405) [solr-test-framework-10.0.0-SNAPSHOT.jar:10.0.0-SNAPSHOT a3945a2c3710b1a355abdea7a2e63b5353ad0723 [snapshot build, details omitted]] at org.eclipse.jetty.util.component.AbstractLifeCycle.setStarted(AbstractLifeCycle.java:253) [jetty-util-10.0.16.jar:10.0.16] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:94) [jetty-util-10.0.16.jar:10.0.16] at org.apache.s
[jira] [Comment Edited] (HADOOP-17563) Update Bouncy Castle to 1.68
[ https://issues.apache.org/jira/browse/HADOOP-17563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17352744#comment-17352744 ] Kevin Risden edited comment on HADOOP-17563 at 5/27/21, 8:45 PM: - I think the link to the vulnerability in the description is wrong? https://nvd.nist.gov/vuln/detail/CVE-2020-26939 and https://nvd.nist.gov/vuln/detail/CVE-2020-28052 and https://nvd.nist.gov/vuln/detail/CVE-2020-15522 could be correct? At least CVE-2020-26939 applies to 1.60 and is fixed in 1.61 or later. CVE-2020-28052 applies to 1.65 and 1.66. Based on https://snyk.io/vuln/maven:org.bouncycastle:bcprov-jdk15on 1.67 or later currently has no CVEs. was (Author: risdenk): I think the link to the vulnerability in the description is wrong? https://nvd.nist.gov/vuln/detail/CVE-2020-26939 and https://nvd.nist.gov/vuln/detail/CVE-2020-28052 could be correct? At least CVE-2020-26939 applies to 1.60 and is fixed in 1.61 or later. CVE-2020-28052 applies to 1.65 and 1.66. > Update Bouncy Castle to 1.68 > > > Key: HADOOP-17563 > URL: https://issues.apache.org/jira/browse/HADOOP-17563 > Project: Hadoop Common > Issue Type: Improvement >Reporter: Takanobu Asanuma >Assignee: Takanobu Asanuma >Priority: Major > Labels: pull-request-available > Fix For: 3.3.1, 3.4.0, 3.2.3 > > Time Spent: 2h > Remaining Estimate: 0h > > Bouncy Castle 1.60 has Hash Collision Vulnerability. Let's update to 1.68. > https://www.sourceclear.com/vulnerability-database/security/hash-collision/java/sid-6009 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HADOOP-17563) Update Bouncy Castle to 1.68
[ https://issues.apache.org/jira/browse/HADOOP-17563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17352744#comment-17352744 ] Kevin Risden edited comment on HADOOP-17563 at 5/27/21, 8:44 PM: - I think the link to the vulnerability in the description is wrong? https://nvd.nist.gov/vuln/detail/CVE-2020-26939 and https://nvd.nist.gov/vuln/detail/CVE-2020-28052 could be correct? At least CVE-2020-26939 applies to 1.60 and is fixed in 1.61 or later. CVE-2020-28052 applies to 1.65 and 1.66. was (Author: risdenk): I think the link to the vulnerability in the description is wrong? https://nvd.nist.gov/vuln/detail/CVE-2020-26939 At least CVE-2020-26939 applies to 1.60 and is fixed in 1.61 or later. > Update Bouncy Castle to 1.68 > > > Key: HADOOP-17563 > URL: https://issues.apache.org/jira/browse/HADOOP-17563 > Project: Hadoop Common > Issue Type: Improvement >Reporter: Takanobu Asanuma >Assignee: Takanobu Asanuma >Priority: Major > Labels: pull-request-available > Fix For: 3.3.1, 3.4.0, 3.2.3 > > Time Spent: 2h > Remaining Estimate: 0h > > Bouncy Castle 1.60 has Hash Collision Vulnerability. Let's update to 1.68. > https://www.sourceclear.com/vulnerability-database/security/hash-collision/java/sid-6009 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-17563) Update Bouncy Castle to 1.68
[ https://issues.apache.org/jira/browse/HADOOP-17563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17352744#comment-17352744 ] Kevin Risden commented on HADOOP-17563: --- I think the link to the vulnerability in the description is wrong? https://nvd.nist.gov/vuln/detail/CVE-2020-26939 At least CVE-2020-26939 applies to 1.60 and is fixed in 1.61 or later. > Update Bouncy Castle to 1.68 > > > Key: HADOOP-17563 > URL: https://issues.apache.org/jira/browse/HADOOP-17563 > Project: Hadoop Common > Issue Type: Improvement >Reporter: Takanobu Asanuma >Assignee: Takanobu Asanuma >Priority: Major > Labels: pull-request-available > Fix For: 3.3.1, 3.4.0, 3.2.3 > > Time Spent: 2h > Remaining Estimate: 0h > > Bouncy Castle 1.60 has Hash Collision Vulnerability. Let's update to 1.68. > https://www.sourceclear.com/vulnerability-database/security/hash-collision/java/sid-6009 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14115) SimpleDateFormatter's are construted w/default Locale, causing malformed dates on some platforms
[ https://issues.apache.org/jira/browse/HADOOP-14115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17241559#comment-17241559 ] Kevin Risden commented on HADOOP-14115: --- HADOOP-15681 might be the same as this ticket. > SimpleDateFormatter's are construted w/default Locale, causing malformed > dates on some platforms > > > Key: HADOOP-14115 > URL: https://issues.apache.org/jira/browse/HADOOP-14115 > Project: Hadoop Common > Issue Type: Bug >Reporter: Chris M. Hostetter >Priority: Major > > In at least one place I know of in Hadoop, {{SimpleDateFormatter}} is used to > serialize {{Date}} object in a format intended for machine consumption -- and > should be following strict formatting rules -- but the > {{SimpleDateFormatter}} instance is not constructed with an explicit > {{Locale}} so the platform default is used instead. This causes things like > "Day name in week" ({{E}}) to generate unexpected results depending on the > Locale of the machine where the code is running, resulting in date-time > strings that violate the formatting rules. > A specific example of this is {{AuthenticationFilter.createAuthCookie}} which > has code that looks like this... > {code} > Date date = new Date(expires); > SimpleDateFormat df = new SimpleDateFormat("EEE, " + > "dd-MMM- HH:mm:ss zzz"); > df.setTimeZone(TimeZone.getTimeZone("GMT")); > sb.append("; Expires=").append(df.format(date)); > {code} > ...which can cause invalid expiration attributes in the {{Set-Cookies}} > header like this (as noted by http-commons's {{ResponseProcessCookies}} > class... > {noformat} > WARN: Invalid cookie header: "Set-Cookie: hadoop.auth=; Path=/; > Domain=127.0.0.1; Expires=Ara, 01-Sa-1970 00:00:00 GMT; HttpOnly". Invalid > 'expires' attribute: Ara, 01-Sa-1970 00:00:00 GMT > {noformat} > There are very likely many other places in the hadoop code base where the > default {{Locale}} is being unintentionally used when formatting > Dates/Numbers. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15681) AuthenticationFilter should generate valid date format for Set-Cookie header regardless of default Locale
[ https://issues.apache.org/jira/browse/HADOOP-15681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17241558#comment-17241558 ] Kevin Risden commented on HADOOP-15681: --- HADOOP-14115 might be related/duplicate/resolved because of this ticket. > AuthenticationFilter should generate valid date format for Set-Cookie header > regardless of default Locale > - > > Key: HADOOP-15681 > URL: https://issues.apache.org/jira/browse/HADOOP-15681 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 3.2.0 >Reporter: Cao Manh Dat >Assignee: Cao Manh Dat >Priority: Minor > Fix For: 3.3.0, 3.2.1, 3.1.3 > > Attachments: HADOOP-15681.patch > > > Hi guys, > When I try to set up Hadoop Kerberos authentication for Solr (HTTP2), I met > this exception: > {code} > java.lang.IllegalArgumentException: null > at org.eclipse.jetty.http2.hpack.Huffman.octetsNeeded(Huffman.java:435) > ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.http2.hpack.Huffman.octetsNeeded(Huffman.java:409) > ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.http2.hpack.HpackEncoder.encodeValue(HpackEncoder.java:368) > ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.http2.hpack.HpackEncoder.encode(HpackEncoder.java:302) > ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.http2.hpack.HpackEncoder.encode(HpackEncoder.java:179) > ~[http2-hpack-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.http2.generator.HeadersGenerator.generateHeaders(HeadersGenerator.java:72) > ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.http2.generator.HeadersGenerator.generate(HeadersGenerator.java:56) > ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.http2.generator.Generator.control(Generator.java:80) > ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.http2.HTTP2Session$ControlEntry.generate(HTTP2Session.java:1163) > ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.http2.HTTP2Flusher.process(HTTP2Flusher.java:184) > ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.util.IteratingCallback.processing(IteratingCallback.java:241) > ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.util.IteratingCallback.iterate(IteratingCallback.java:224) > ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.http2.HTTP2Session.frame(HTTP2Session.java:685) > ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.http2.HTTP2Session.frames(HTTP2Session.java:657) > ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.http2.HTTP2Stream.headers(HTTP2Stream.java:107) > ~[http2-common-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.http2.server.HttpTransportOverHTTP2.sendHeadersFrame(HttpTransportOverHTTP2.java:235) > ~[http2-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.http2.server.HttpTransportOverHTTP2.send(HttpTransportOverHTTP2.java:134) > ~[http2-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.server.HttpChannel.sendResponse(HttpChannel.java:790) > ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.server.HttpChannel.write(HttpChannel.java:846) > ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.server.HttpOutput.write(HttpOutput.java:240) > ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.server.HttpOutput.write(HttpOutput.java:216) > ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.server.HttpOutput.close(HttpOutput.java:298) > ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.server.HttpWriter.close(HttpWriter.java:49) > ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.server.ResponseWriter.close(ResponseWriter.java:163) > ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at org.eclipse.jetty.server.Response.closeOutput(Response.java:1038) > ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.server.handler.ErrorHandler.generateAcceptableResponse(ErrorHandler.java:178) > ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] > at > org.eclipse.jetty.server.handler.ErrorHandler.doError(ErrorHandler.java:142) > ~[jetty-server-9.4.11.v2018
[jira] [Commented] (HADOOP-11219) Upgrade to netty 4
[ https://issues.apache.org/jira/browse/HADOOP-11219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17173383#comment-17173383 ] Kevin Risden commented on HADOOP-11219: --- https://snyk.io/vuln/SNYK-JAVA-IONETTY-473694 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869 https://github.com/netty/netty/issues/9571#issuecomment-552070089 There is at least one CVE affecting Netty <4 - Ironically this was published around the same week as [~weichiu]'s comment. > Upgrade to netty 4 > -- > > Key: HADOOP-11219 > URL: https://issues.apache.org/jira/browse/HADOOP-11219 > Project: Hadoop Common > Issue Type: Improvement >Reporter: Haohui Mai >Assignee: Haohui Mai >Priority: Major > > This is an umbrella jira to track the effort of upgrading to Netty 4. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Created] (HADOOP-16344) Make DurationInfo "public unstable"
Kevin Risden created HADOOP-16344: - Summary: Make DurationInfo "public unstable" Key: HADOOP-16344 URL: https://issues.apache.org/jira/browse/HADOOP-16344 Project: Hadoop Common Issue Type: Improvement Components: util Reporter: Kevin Risden HADOOP-16093 moved DurationInfo to hadoop-common org.apache.hadoop.util. It would be useful if DurationInfo was annotated as "public unstable". -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org