Steve Vaughan created YARN-11199:
------------------------------------
Summary: Replace htrace-core with hbase-noop-htrace for
CVE-2018-7489
Key: YARN-11199
URL: https://issues.apache.org/jira/browse/YARN-11199
Project: Hadoop YARN
Issue Type: Improvement
Components: timelineservice
Affects Versions: 3.4.0, 3.3.9, 3.3.4
Environment: The build was performed using the Hadoop development
environment.
Reporter: Steve Vaughan
Distributions of Hadoop still contain htrace, which is a critical CVE-2018-7489
concerning FasterXML jackson-databind. This can be addressed by replacing
`htrace-core` with `hbase-noop-htrace` in Hadoop builds. I'll extract this
from [HADOOP-18311|https://issues.apache.org/jira/browse/HADOOP-18311].
Downloading the published 3.3.3 distribution we can find htrace-core:
{code:java}
% tar -tzf ~/Downloads/hadoop-3.3.3.tar.gz | grep htrace
hadoop-3.3.3/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar{code}
It also appears in builds of trunk
{noformat}
% mvn -nsu clean install -Pdist,native -Drequire.snappy -Drequire.zstd
-Drequire.openssl -Drequire.isal -DskipTests -Dtar -Dmaven.javadoc.skip=true
[...]
% tar -tzf hadoop-dist/target/hadoop-3.4.0-SNAPSHOT.tar.gz | grep htrace
hadoop-3.4.0-SNAPSHOT/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar{noformat}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org
