[jira] [Commented] (YARN-11199) Replace htrace-core with hbase-noop-htrace for CVE-2018-7489, CVE-2020-35491, CVE-2020-35490, and CVE-2020-36518

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/YARN-11199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18036664#comment-18036664
 ] 

ASF GitHub Bot commented on YARN-11199:
---------------------------------------

github-actions[bot] commented on PR #4506:
URL: https://github.com/apache/hadoop/pull/4506#issuecomment-3509006650

   We're closing this stale PR because it has been open for 100 days with no 
activity. This isn't a judgement on the merit of the PR in any way. It's just a 
way of keeping the PR queue manageable.
   If you feel like this was a mistake, or you would like to continue working 
on it, please feel free to re-open it and ask for a committer to remove the 
stale tag and review again.
   Thanks all for your contribution.




> Replace htrace-core with hbase-noop-htrace for CVE-2018-7489, CVE-2020-35491, 
> CVE-2020-35490, and CVE-2020-36518 
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-11199
>                 URL: https://issues.apache.org/jira/browse/YARN-11199
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: timelineservice
>    Affects Versions: 3.4.0, 3.3.5, 3.3.4
>         Environment: The build was performed using the Hadoop development 
> environment.
>            Reporter: Steve Vaughan
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Distributions of Hadoop still contain htrace, which is a critical 
> CVE-2018-7489 concerning FasterXML jackson-databind.  This can be addressed 
> by replacing `htrace-core` with `hbase-noop-htrace` in Hadoop builds.  I'll 
> extract this from 
> [HADOOP-18311|https://issues.apache.org/jira/browse/HADOOP-18311].
> Downloading the published 3.3.3 distribution we can find htrace-core:
> {code:java}
> % tar -tzf ~/Downloads/hadoop-3.3.3.tar.gz | grep htrace
> hadoop-3.3.3/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar{code}
> It also appears in builds of trunk
> {noformat}
> % mvn -nsu clean install -Pdist,native -Drequire.snappy -Drequire.zstd 
> -Drequire.openssl -Drequire.isal -DskipTests -Dtar -Dmaven.javadoc.skip=true
> [...]
> % tar -tzf hadoop-dist/target/hadoop-3.4.0-SNAPSHOT.tar.gz | grep htrace
> hadoop-3.4.0-SNAPSHOT/share/hadoop/yarn/timelineservice/lib/htrace-core-3.1.0-incubating.jar{noformat}
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org