Unsubscribe

[xujingyu]

unsubscribe




Best Regards

Re: Hadoop Jira Bug Workflows/Lifecycle Documentation

[Brahma Reddy Battula]

Hi Ajay,

Good to hear from you, go through the following which help you.

https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute

On Mon, May 18, 2020 at 12:48 PM Ajay Bakhshi  wrote:

> Hi Friends,
>
> Does anyone know if there is documentation on How Hadoop Engineering uses
> Jira. Various workflows e.g.
>
> Values of "Status" & "Resolution" field and their meanings.
> How is a bug targeted for multiple releases.
>
> Looking for detailed documentation, if any.
>
> Thanks
>
> -Ajay Bakhshi
>


-- 



--Brahma Reddy Battula

Re: CVE-2017-3161 & CVE-2017-3162 | WhiteSource

[Steve Loughran]

thanks for getting in touch

neither of these branches are maintained; they are in the end of life list
https://cwiki.apache.org/confluence/display/HADOOP/EOL+%28End-of-life%29+Release+Branches

Our policy regarding any security issue in those branches is:

   1. upgrade to a supported release, ideally the latest release of the
   hadoop 3 line, which is currently 3.2.1
   2. See if the problem is still there



all your customer should upgrade to a maintained version - not just to get
fixes in our code, but to get fixes in libraries which we ourselves depend
upon. Special callout to jackson there.

regarding the specific CVEs, i believe both were fixed in
https://issues.apache.org/jira/browse/HDFS-6252  *Phase out the old web UI
in HDFS*

hope this helps

On Thu, 4 Jun 2020 at 11:55, Daniel Elkabes <
daniel.elka...@whitesourcesoftware.com> wrote:

> Dear Hadoop,
>
> My name is Daniel Elkabes, I'm the lead security researcher at
> WhiteSource. WhiteSource offers a solution for managing open source
> software security and features a vast database of reported security
> vulnerabilities that is consulted daily by clients worldwide.
>
> As part of our research we tried to find vulnerable elements for certain
> CVEs. Two of them are: CVE-2017-3161 and CVE-2017-3162.
>
> During the research we realized there is a problem determining the exact
> vulnerable elements. We have correlated information from online sources in
> order to find the relevant class/file/method.
>
> The researched versions for both of the CVEs are: 2.6.5 (vulnerable) and
> 2.7.0 (fixed)
>
> We have found some elements for CVE-2017-3161 and CVE-2017-3162 although
> we still lack conclusive evidence. Here's what we have found:
>
> As for *CVE-2017-3161*, we have found the following elements:
>
> location:
> \hadoop-2.7.0-src\hadoop-hdfs-project\hadoop-hdfs\src\main\java\org\apache\hadoop\hdfs\server\namenode\NameNode.java
>
> *class: NameNode*
>
> *methods:*
> *getServiceAddress(Configuration conf, boolean fallback)  ;
> getHttpAddress(Configuration conf)*
>
>
> It seems that the HTTP address is directly constructed from the user's
> input. The fix (version 2.7.0) is performed by trimming the address. It's
> not a full mitigation to a XSS attack, thus we are not entirely sure
> whether these elements are the ones attached to CVE-2017-3161.
> 
>
> As for *CVE-2017-3162*, we found the following elements:
>
> location:
> \hadoop-2.6.0-src\hadoop-hdfs-project\hadoop-hdfs\src\main\java\org\apache\hadoop\hdfs\server\datanode\DataNode.java
>
> *class: DataNode*
>
> *methods: startInfoServer(Configuration conf)*
>
>
> We are not entirely sure whether these elements are the ones related to
> CVE-2017-3162.
>
> As a last resort, we are contacting you as the main maintainer of the
> project to see what you think about this CVE and if you have any input to
> give us.
> We will really appreciate any additional information that you can give us,
> as we want to let our clients and the community understand it better.
>
> Sincerely,
>
> --
>
>
>
> *Daniel Elkabes*
>   Sr.Security Researcher
>
> www.WhiteSourceSoftware.com 
>
>
> [image: LinkedIn icon]   [image:
> Twitter icon] 
>
>