Steve Vaughan created YARN-11199: ------------------------------------ Summary: Replace htrace-core with hbase-noop-htrace for CVE-2018-7489 Key: YARN-11199 URL: https://issues.apache.org/jira/browse/YARN-11199 Project: Hadoop YARN Issue Type: Improvement Components: timelineservice Affects Versions: 3.4.0, 3.3.9, 3.3.4 Environment: The build was performed using the Hadoop development environment. Reporter: Steve Vaughan
Distributions of Hadoop still contain htrace, which is a critical CVE-2018-7489 concerning FasterXML jackson-databind. This can be addressed by replacing `htrace-core` with `hbase-noop-htrace` in Hadoop builds. I'll extract this from [HADOOP-18311|https://issues.apache.org/jira/browse/HADOOP-18311]. Downloading the published 3.3.3 distribution we can find htrace-core: {code:java} % tar -tzf ~/Downloads/hadoop-3.3.3.tar.gz | grep htrace hadoop-3.3.3/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar{code} It also appears in builds of trunk {noformat} % mvn -nsu clean install -Pdist,native -Drequire.snappy -Drequire.zstd -Drequire.openssl -Drequire.isal -DskipTests -Dtar -Dmaven.javadoc.skip=true [...] % tar -tzf hadoop-dist/target/hadoop-3.4.0-SNAPSHOT.tar.gz | grep htrace hadoop-3.4.0-SNAPSHOT/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar{noformat} -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org