[jira] [Created] (HBASE-14872) Scan different timeRange per column family doesn't percolate down to the memstore
churro morales created HBASE-14872: -- Summary: Scan different timeRange per column family doesn't percolate down to the memstore Key: HBASE-14872 URL: https://issues.apache.org/jira/browse/HBASE-14872 Project: HBase Issue Type: Bug Components: Client, regionserver, Scanners Affects Versions: 2.0.0, 1.3.0 Reporter: churro morales Assignee: churro morales Fix For: 2.0.0, 1.3.0, 0.98.17 HBASE-14355 The scan different time range for column family feature was not applied to the memstore it was only done for the store files. This breaks the contract. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (HBASE-14871) Allow specifying the base branch for make_patch
Elliott Clark created HBASE-14871: - Summary: Allow specifying the base branch for make_patch Key: HBASE-14871 URL: https://issues.apache.org/jira/browse/HBASE-14871 Project: HBase Issue Type: Improvement Reporter: Elliott Clark Assignee: Elliott Clark -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (HBASE-14799) Commons-collections object deserialization remote command execution vulnerability
[ https://issues.apache.org/jira/browse/HBASE-14799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell resolved HBASE-14799. Resolution: Fixed Hadoop Flags: Reviewed Fix Version/s: 1.0.4 1.1.3 1.3.0 1.2.0 2.0.0 > Commons-collections object deserialization remote command execution > vulnerability > -- > > Key: HBASE-14799 > URL: https://issues.apache.org/jira/browse/HBASE-14799 > Project: HBase > Issue Type: Bug >Reporter: Andrew Purtell >Assignee: Andrew Purtell >Priority: Critical > Fix For: 2.0.0, 0.94.28, 1.2.0, 1.3.0, 1.1.3, 0.98.17, 1.0.4 > > Attachments: HBASE-14799-0.94.patch, HBASE-14799-0.94.patch, > HBASE-14799-0.94.patch, HBASE-14799-0.94.patch, HBASE-14799-0.94.patch, > HBASE-14799-0.98.patch, HBASE-14799-0.98.patch, HBASE-14799-0.98.patch, > HBASE-14799.patch, HBASE-14799.patch > > > Read: > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ > TL;DR: If you have commons-collections on your classpath and accept and > process Java object serialization data, then you probably have an exploitable > remote command execution vulnerability. > 0.94 and earlier HBase releases are vulnerable because we might read in and > rehydrate serialized Java objects out of RPC packet data in > HbaseObjectWritable using ObjectInputStream#readObject (see > https://hbase.apache.org/0.94/xref/org/apache/hadoop/hbase/io/HbaseObjectWritable.html#714) > and we have commons-collections on the classpath on the server. > 0.98 also carries some limited exposure to this problem through inclusion of > backwards compatible deserialization code in > HbaseObjectWritableFor96Migration. This is used by the 0.94-to-0.98 migration > utility, and by the AccessController when reading permissions from the ACL > table serialized in legacy format by 0.94. Unprivileged users cannot run the > tool nor access the ACL table. > Unprivileged users can however attack a 0.94 installation. An attacker might > be able to use the method discussed on that blog post to capture valid HBase > RPC payloads for 0.94 and prior versions, rewrite them to embed an exploit, > and replay them to trigger a remote command execution with the privileges of > the account under which the HBase RegionServer daemon is running. > We need to make a patch release of 0.94 that changes HbaseObjectWritable to > disallow processing of random Java object serializations. This will be a > compatibility break that might affect old style coprocessors, which quite > possibly may rely on this catch-all in HbaseObjectWritable for custom object > (de)serialization. We can introduce a new configuration setting, > "hbase.allow.legacy.object.serialization", defaulting to false. > To be thorough, we can also use the new configuration setting > "hbase.allow.legacy.object.serialization" (defaulting to false) in 0.98 to > prevent the AccessController from falling back to the vulnerable legacy code. > This turns out to not affect the ability to migrate permissions because > TablePermission implements Writable, which is safe, not Serializable. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
Re: Successful: HBase Generate Website
Refreshed. On Tue, Nov 24, 2015 at 1:01 AM, Apache Jenkins Server < jenk...@builds.apache.org> wrote: > Build status: Successful > > If successful, the website and docs have been generated. Use the following > commands to publish the website: > > wget -O- > https://builds.apache.org/job/hbase_generate_website/40/artifact/website.patch.zip > | bsdtar xf - > git checkout asf-site && git pull && git am > 55087ce8887b5be38b0fda0dda3fbf2f92c13778.patch && git push origin asf-site > > If failed, see > https://builds.apache.org/job/hbase_generate_website/40/console
[jira] [Created] (HBASE-14870) Backport namespace permissions to 0.98
Andrew Purtell created HBASE-14870: -- Summary: Backport namespace permissions to 0.98 Key: HBASE-14870 URL: https://issues.apache.org/jira/browse/HBASE-14870 Project: HBase Issue Type: Task Reporter: Andrew Purtell Fix For: 0.98.17 Backport namespace permissions to 0.98. The new permission checks will be disabled by default for behavioral compatibility with previous releases, like what we did when we introduced enforcement of the EXEC permission. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
Successful: HBase Generate Website
Build status: Successful If successful, the website and docs have been generated. Use the following commands to publish the website: wget -O- https://builds.apache.org/job/hbase_generate_website/40/artifact/website.patch.zip | bsdtar xf - git checkout asf-site && git pull && git am 55087ce8887b5be38b0fda0dda3fbf2f92c13778.patch && git push origin asf-site If failed, see https://builds.apache.org/job/hbase_generate_website/40/console
Successful: hbase.apache.org HTML Checker
Successful If successful, the HTML and link-checking report for http://hbase.apache.org is available at https://builds.apache.org/job/HBase%20Website%20Link%20Ckecker/7/artifact/link_report/index.html. If failed, see https://builds.apache.org/job/HBase%20Website%20Link%20Ckecker/7/console.