[jira] [Commented] (HADOOP-19154) upgrade bouncy castle to 1.78.1 due to CVEs

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-19154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17852993#comment-17852993
 ] 

ASF GitHub Bot commented on HADOOP-19154:
-----------------------------------------

hadoop-yetus commented on PR #6866:
URL: https://github.com/apache/hadoop/pull/6866#issuecomment-2153737457

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |:----:|----------:|--------:|:--------:|:-------:|
   | +0 :ok: |  reexec  |   9m 49s |  |  Docker mode activated.  |
   |||| _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  markdownlint  |   0m  0s |  |  markdownlint was not available.  
|
   | +0 :ok: |  xmllint  |   0m  0s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  0s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
   |||| _ branch-3.4 Compile Tests _ |
   | +0 :ok: |  mvndep  |   3m 58s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  32m 19s |  |  branch-3.4 passed  |
   | +1 :green_heart: |  compile  |  10m  0s |  |  branch-3.4 passed with JDK 
Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2  |
   | +1 :green_heart: |  compile  |   9m  0s |  |  branch-3.4 passed with JDK 
Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08  |
   | +1 :green_heart: |  mvnsite  |  14m 43s |  |  branch-3.4 passed  |
   | +1 :green_heart: |  javadoc  |   5m  5s |  |  branch-3.4 passed with JDK 
Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2  |
   | +1 :green_heart: |  javadoc  |   4m 53s |  |  branch-3.4 passed with JDK 
Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08  |
   | +1 :green_heart: |  shadedclient  |  34m 10s |  |  branch has no errors 
when building and testing our client artifacts.  |
   |||| _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 28s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  21m 25s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |   9m  2s |  |  the patch passed with JDK 
Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2  |
   | +1 :green_heart: |  javac  |   9m  2s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |   8m 27s |  |  the patch passed with JDK 
Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08  |
   | +1 :green_heart: |  javac  |   8m 27s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |   9m 19s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   4m 52s |  |  the patch passed with JDK 
Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2  |
   | +1 :green_heart: |  javadoc  |   5m  3s |  |  the patch passed with JDK 
Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08  |
   | +1 :green_heart: |  shadedclient  |  32m 34s |  |  patch has no errors 
when building and testing our client artifacts.  |
   |||| _ Other Tests _ |
   | -1 :x: |  unit  | 621m 26s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6866/1/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   0m 59s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 819m 36s |  |  |
   
   
   | Reason | Tests |
   |-------:|:------|
   | Failed junit tests | hadoop.fs.http.client.TestHttpFSWithHttpFSFileSystem |
   |   | hadoop.hdfs.protocol.TestBlockListAsLongs |
   |   | hadoop.hdfs.server.datanode.TestLargeBlockReport |
   
   
   | Subsystem | Report/Notes |
   |----------:|:-------------|
   | Docker | ClientAPI=1.45 ServerAPI=1.45 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6866/1/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/6866 |
   | Optional Tests | dupname asflicense mvnsite codespell detsecrets 
markdownlint compile javac javadoc mvninstall unit shadedclient xmllint 
shellcheck shelldocs |
   | uname | Linux 8434123aad69 5.15.0-106-generic #116-Ubuntu SMP Wed Apr 17 
09:17:56 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | branch-3.4 / 72e1edbdf628b6e582a8e0faf8b5aa2b3d192f9c |
   | Default Java | Private Build-1.8.0_412-8u412-ga-1~20.04.1-b08 |
   | Multi-JDK versions | 
/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.23+9-post-Ubuntu-1ubuntu120.04.2 
/usr/lib/jvm/java-8-openjdk-amd64:Private 
Build-1.8.0_412-8u412-ga-1~20.04.1-b08 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6866/1/testReport/ |
   | Max. process+thread count | 4139 (vs. ulimit of 5500) |
   | modules | C: hadoop-project hadoop-cloud-storage-project/hadoop-cos . U: . 
|
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6866/1/console |
   | versions | git=2.25.1 maven=3.6.3 shellcheck=0.7.0 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> upgrade bouncy castle to 1.78.1 due to CVEs
> -------------------------------------------
>
>                 Key: HADOOP-19154
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19154
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: common
>    Affects Versions: 3.4.0, 3.3.6
>            Reporter: PJ Fanning
>            Assignee: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.5.0
>
>
> [https://www.bouncycastle.org/releasenotes.html#r1rv78]
> There is a v1.78.1 release but no notes for it yet.
> For v1.78
> h3. 2.1.5 Security Advisories.
> Release 1.78 deals with the following CVEs:
>  * CVE-2024-29857 - Importing an EC certificate with specially crafted F2m 
> parameters can cause high CPU usage during parameter evaluation.
>  * CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due 
> to exception processing eliminated.
>  * CVE-2024-30172 - Crafted signature and public key can be used to trigger 
> an infinite loop in the Ed25519 verification code.
>  * CVE-2024-301XX - When endpoint identification is enabled and an SSL socket 
> is not created with an explicit hostname (as happens with 
> HttpsURLConnection), hostname verification could be performed against a 
> DNS-resolved IP address. This has been fixed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org