[
https://issues.apache.org/jira/browse/HADOOP-19031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17929196#comment-17929196
]
ASF GitHub Bot commented on HADOOP-19031:
-----------------------------------------
hadoop-yetus commented on PR #7286:
URL: https://github.com/apache/hadoop/pull/7286#issuecomment-2675016639
:broken_heart: **-1 overall**
| Vote | Subsystem | Runtime | Logfile | Comment |
|:----:|----------:|--------:|:--------:|:-------:|
| +0 :ok: | reexec | 6m 21s | | Docker mode activated. |
|||| _ Prechecks _ |
| +1 :green_heart: | dupname | 0m 0s | | No case conflicting files
found. |
| +0 :ok: | codespell | 0m 0s | | codespell was not available. |
| +0 :ok: | detsecrets | 0m 0s | | detect-secrets was not available.
|
| +0 :ok: | xmllint | 0m 0s | | xmllint was not available. |
| +1 :green_heart: | @author | 0m 0s | | The patch does not contain
any @author tags. |
| -1 :x: | test4tests | 0m 0s | | The patch doesn't appear to include
any new or modified tests. Please justify why no new tests are needed for this
patch. Also please list what manual steps were performed to verify this patch.
|
|||| _ branch-3.3.6 Compile Tests _ |
| +0 :ok: | mvndep | 13m 8s | | Maven dependency ordering for branch |
| -1 :x: | mvninstall | 24m 18s |
[/branch-mvninstall-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7286/2/artifact/out/branch-mvninstall-root.txt)
| root in branch-3.3.6 failed. |
| -1 :x: | compile | 10m 32s |
[/branch-compile-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7286/2/artifact/out/branch-compile-root.txt)
| root in branch-3.3.6 failed. |
| +1 :green_heart: | checkstyle | 2m 28s | | branch-3.3.6 passed |
| +1 :green_heart: | mvnsite | 1m 47s | | branch-3.3.6 passed |
| +1 :green_heart: | javadoc | 1m 8s | | branch-3.3.6 passed |
| +0 :ok: | spotbugs | 0m 32s | | branch/hadoop-project no spotbugs
output file (spotbugsXml.xml) |
| +1 :green_heart: | shadedclient | 23m 38s | | branch has no errors
when building and testing our client artifacts. |
|||| _ Patch Compile Tests _ |
| +0 :ok: | mvndep | 0m 32s | | Maven dependency ordering for patch |
| +1 :green_heart: | mvninstall | 1m 14s | | the patch passed |
| -1 :x: | compile | 11m 43s |
[/patch-compile-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7286/2/artifact/out/patch-compile-root.txt)
| root in the patch failed. |
| -1 :x: | javac | 11m 43s |
[/patch-compile-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7286/2/artifact/out/patch-compile-root.txt)
| root in the patch failed. |
| +1 :green_heart: | blanks | 0m 0s | | The patch has no blanks
issues. |
| +1 :green_heart: | checkstyle | 2m 41s | | the patch passed |
| +1 :green_heart: | mvnsite | 2m 14s | | the patch passed |
| +1 :green_heart: | javadoc | 1m 16s | | the patch passed |
| +0 :ok: | spotbugs | 0m 32s | | hadoop-project has no data from
spotbugs |
| +1 :green_heart: | shadedclient | 24m 14s | | patch has no errors
when building and testing our client artifacts. |
|||| _ Other Tests _ |
| +1 :green_heart: | unit | 0m 33s | | hadoop-project in the patch
passed. |
| +1 :green_heart: | unit | 17m 38s | | hadoop-common in the patch
passed. |
| +1 :green_heart: | asflicense | 1m 0s | | The patch does not
generate ASF License warnings. |
| | | 152m 29s | | |
| Subsystem | Report/Notes |
|----------:|:-------------|
| Docker | ClientAPI=1.48 ServerAPI=1.48 base:
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7286/2/artifact/out/Dockerfile
|
| GITHUB PR | https://github.com/apache/hadoop/pull/7286 |
| Optional Tests | dupname asflicense compile javac javadoc mvninstall
mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint |
| uname | Linux 76ba6678b38d 5.15.0-130-generic #140-Ubuntu SMP Wed Dec 18
17:59:53 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/bin/hadoop.sh |
| git revision | branch-3.3.6 / 97cd2a3084f1d1a3a1cd90e64b7d0dfc1808d23b |
| Default Java | Private Build-1.8.0_362-8u372-ga~us1-0ubuntu1~18.04-b09 |
| Test Results |
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7286/2/testReport/ |
| Max. process+thread count | 3152 (vs. ulimit of 5500) |
| modules | C: hadoop-project hadoop-common-project/hadoop-common U: . |
| Console output |
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7286/2/console |
| versions | git=2.17.1 maven=3.6.0 spotbugs=4.2.2 |
| Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
This message was automatically generated.
> CVE-2024-23454: Apache Hadoop: Temporary File Local Information Disclosure
> --------------------------------------------------------------------------
>
> Key: HADOOP-19031
> URL: https://issues.apache.org/jira/browse/HADOOP-19031
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.4.0, 3.5.0
> Reporter: Xiaoqiao He
> Assignee: Xiaoqiao He
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.5.0
>
>
> Apache Hadoop’s RunJar.run() does not set permissions for temporary directory
> by default. If sensitive data will be present in this file, all the other
> local users may be able to view the content.
> This is because, on unix-like systems, the system temporary directory is
> shared between all local users. As such, files written in this directory,
> without setting the correct posix permissions explicitly, may be viewable by
> all other local users.
> Credit: Andrea Cosentino (finder)
> See: https://www.cve.org/CVERecord?id=CVE-2024-23454
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
