!56 更新hadoop-3.3.3 to fix cve
From: @xiexing01 Reviewed-by: @wuzeyi1 Signed-off-by: @wuzeyi1
This commit is contained in:
openeuler-ci-bot
Gitee
commit
f1df6f70f5
@ -1,28 +0,0 @@
|
||||
From 26367b6cc7300e96963faff53a68552d13942804 Mon Sep 17 00:00:00 2001
|
||||
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
|
||||
Date: Mon, 9 Dec 2019 10:14:44 +0900
|
||||
Subject: [PATCH] Bump nimbus-jose-jwt from 4.41.1 to 7.9 (#1682)
|
||||
|
||||
Bumps [nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) from 4.41.1 to 7.9.
|
||||
- [Changelog](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt)
|
||||
- [Commits](https://bitbucket.org/connect2id/nimbus-jose-jwt/branches/compare/7.9..4.41.1)
|
||||
|
||||
Signed-off-by: dependabot[bot] <support@github.com>
|
||||
(cherry picked from commit c1d393a1567cac1bcf71e2e5f252cddffa0f97cc)
|
||||
---
|
||||
hadoop-project/pom.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
|
||||
index ad9c2138fb6c7..f83b74c2469b0 100644
|
||||
--- a/hadoop-project/pom.xml
|
||||
+++ b/hadoop-project/pom.xml
|
||||
@@ -1329,7 +1329,7 @@
|
||||
<dependency>
|
||||
<groupId>com.nimbusds</groupId>
|
||||
<artifactId>nimbus-jose-jwt</artifactId>
|
||||
- <version>4.41.1</version>
|
||||
+ <version>7.9</version>
|
||||
<scope>compile</scope>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
@ -1,53 +0,0 @@
|
||||
From c5ed4ec13dcc2e3bf6e7033ebfe9f5c9508e9236 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Yang <eyang@apache.org>
|
||||
Date: Mon, 15 Jun 2020 10:55:26 +0900
|
||||
Subject: [PATCH] SPNEGO TLS verification
|
||||
|
||||
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
|
||||
---
|
||||
.../org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
|
||||
index b316bf1..b34ce82 100644
|
||||
--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
|
||||
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
|
||||
@@ -144,6 +144,7 @@ public class WebHdfsFileSystem extends FileSystem
|
||||
+ "/v" + VERSION;
|
||||
public static final String EZ_HEADER = "X-Hadoop-Accept-EZ";
|
||||
public static final String FEFINFO_HEADER = "X-Hadoop-feInfo";
|
||||
+ public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy";
|
||||
|
||||
/**
|
||||
* Default connection factory may be overridden in tests to use smaller
|
||||
@@ -172,6 +173,7 @@ public class WebHdfsFileSystem extends FileSystem
|
||||
|
||||
private DFSOpsCountStatistics storageStatistics;
|
||||
private KeyProvider testProvider;
|
||||
+ private boolean isTLSKrb;
|
||||
|
||||
/**
|
||||
* Return the protocol scheme for the FileSystem.
|
||||
@@ -233,6 +235,7 @@ public class WebHdfsFileSystem extends FileSystem
|
||||
.newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf);
|
||||
}
|
||||
|
||||
+ this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY));
|
||||
|
||||
ugi = UserGroupInformation.getCurrentUser();
|
||||
this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority());
|
||||
@@ -683,6 +686,11 @@ public class WebHdfsFileSystem extends FileSystem
|
||||
//redirect hostname and port
|
||||
redirectHost = null;
|
||||
|
||||
+ if (url.getProtocol().equals("http") &&
|
||||
+ UserGroupInformation.isSecurityEnabled() &&
|
||||
+ isTLSKrb) {
|
||||
+ throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY.");
|
||||
+ }
|
||||
|
||||
// resolve redirects for a DN operation unless already resolved
|
||||
if (op.getRedirect() && !redirected) {
|
||||
--
|
||||
2.23.0
|
||||
|
||||
Binary file not shown.
39
hadoop.spec
39
hadoop.spec
@ -10,8 +10,8 @@
|
||||
%global __provides_exclude_from ^%{_libdir}/%{name}/.*$
|
||||
%define _binaries_in_noarch_packages_terminate_build 0
|
||||
Name: hadoop
|
||||
Version: 3.2.1
|
||||
Release: 12
|
||||
Version: 3.3.3
|
||||
Release: 1
|
||||
Summary: A software platform for processing vast amounts of data
|
||||
# The BSD license file is missing
|
||||
# https://issues.apache.org/jira/browse/HADOOP-9849
|
||||
@ -31,13 +31,15 @@ Source10: %{name}-core-site.xml
|
||||
Source11: %{name}-hdfs-site.xml
|
||||
Source12: %{name}-mapred-site.xml
|
||||
Source13: %{name}-yarn-site.xml
|
||||
Patch0: CVE-2020-9492.patch
|
||||
Patch1: CVE-2019-17195.patch
|
||||
Source14: yarn-v1.22.5.tar.gz
|
||||
Source15: node-12.22.1-linux-x64.tar.gz
|
||||
Source16: node-v12.22.1-linux-arm64.tar.gz
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
BuildRequires: java-1.8.0-openjdk-devel maven hostname maven-local tomcat cmake snappy openssl-devel
|
||||
BuildRequires: cyrus-sasl-devel chrpath systemd protobuf2-compiler protobuf2-devel protobuf2-java protobuf2
|
||||
BuildRequires: leveldbjni leveldb-java hawtjni-runtime gcc-c++
|
||||
BuildRequires: npm chrpath
|
||||
Requires: java-1.8.0-openjdk protobuf2-java apache-zookeeper
|
||||
|
||||
%description
|
||||
@ -246,6 +248,18 @@ mvn install:install-file -DgroupId=org.iq80.leveldb -DartifactId=leveldb-benchma
|
||||
mvn install:install-file -DgroupId=org.iq80.leveldb -DartifactId=leveldb -Dversion=0.7 -Dpackaging=jar -Dfile=/usr/share/java/leveldb-java/leveldb.jar
|
||||
mvn install:install-file -DgroupId=orn.fusesource.hawtjni -DartifactId=hawtjni-runtime -Dversion=1.16 -Dpackaging=jar -Dfile=/usr/lib/java/hawtjni/hawtjni-runtime.jar
|
||||
|
||||
mkdir -p /home/abuild/.m2/repository/com/github/eirslett/node/12.22.1/
|
||||
cp %{SOURCE15} /home/abuild/.m2/repository/com/github/eirslett/node/12.22.1/
|
||||
cp %{SOURCE16} /home/abuild/.m2/repository/com/github/eirslett/node/12.22.1/
|
||||
mv /home/abuild/.m2/repository/com/github/eirslett/node/12.22.1/node-v12.22.1-linux-arm64.tar.gz /home/abuild/.m2/repository/com/github/eirslett/node/12.22.1/node-12.22.1-linux-arm64.tar.gz
|
||||
mkdir -p /home/abuild/.m2/repository/com/github/eirslett/yarn/1.22.5/
|
||||
cp %{SOURCE14} /home/abuild/.m2/repository/com/github/eirslett/yarn/1.22.5/
|
||||
mv /home/abuild/.m2/repository/com/github/eirslett/yarn/1.22.5/yarn-v1.22.5.tar.gz /home/abuild/.m2/repository/com/github/eirslett/yarn/1.22.5/yarn-1.22.5.tar.gz
|
||||
tar -xzvf /home/abuild/.m2/repository/com/github/eirslett/yarn/1.22.5/yarn-1.22.5.tar.gz -C /home/abuild/.m2/repository/com/github/eirslett/yarn/1.22.5/
|
||||
npm config set registry https://repo.huaweicloud.com/repository/npm/
|
||||
npm cache clean -f
|
||||
/home/abuild/.m2/repository/com/github/eirslett/yarn/1.22.5/yarn-v1.22.5/bin/yarn config set registry https://repo.huaweicloud.com/repository/npm/ -g
|
||||
|
||||
%pom_add_dep org.iq80.leveldb:leveldb-api:0.7 hadoop-hdfs-project/hadoop-hdfs
|
||||
%pom_add_dep org.iq80.leveldb:leveldb-api:0.7 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy
|
||||
%pom_add_dep org.iq80.leveldb:leveldb-api:0.7 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice
|
||||
@ -294,7 +308,7 @@ mvn install:install-file -DgroupId=orn.fusesource.hawtjni -DartifactId=hawtjni-r
|
||||
%mvn_file :%{name}-common::tests: %{name}/%{name}-common
|
||||
|
||||
%build
|
||||
mvn -Dsnappy.lib=/usr/lib64 -Dbundle.snappy -Dcontainer-executor.conf.dir=%{_sysconfdir}/%{name} -Pdist,native -DskipTests -DskipIT -Dmaven.javadoc.skip=true package
|
||||
mvn clean -Dsnappy.lib=/usr/lib64 -Dbundle.snappy -Dcontainer-executor.conf.dir=%{_sysconfdir}/%{name} -Pdist,native -DskipTests -DskipIT -Dmaven.javadoc.skip=true package
|
||||
|
||||
%install
|
||||
# Copy all jar files except those generated by the build
|
||||
@ -312,7 +326,7 @@ link_hadoop_jars()
|
||||
{
|
||||
for f in `ls hadoop-* | grep -v tests | grep -v examples`
|
||||
do
|
||||
n=`echo $f | sed "s/-%{version}//"`
|
||||
n=`echo $f | sed -e "s/-%{version}//" -e "s/1.1.1//"`
|
||||
if [ -L $1/$n ]
|
||||
then
|
||||
continue
|
||||
@ -559,8 +573,8 @@ install -m 0755 %{name}-tools/%{name}-tools-dist/target/hadoop-tools-dist-%{vers
|
||||
echo %{_datadir}/java/%{name}/hadoop-tools-dist-tests.jar >> .mfiles-hadoop-tests
|
||||
install -m 0755 %{name}-yarn-project/%{name}-yarn/%{name}-yarn-common/target/hadoop-yarn-common-%{version}-tests.jar %{buildroot}%{_datadir}/java/%{name}/hadoop-yarn-common-tests.jar
|
||||
echo %{_datadir}/java/%{name}/hadoop-yarn-common-tests.jar >> .mfiles-hadoop-tests
|
||||
install -m 0755 %{name}-yarn-project/%{name}-yarn/%{name}-yarn-registry/target/hadoop-yarn-registry-%{version}-tests.jar %{buildroot}%{_datadir}/java/%{name}/hadoop-yarn-registry-tests.jar
|
||||
echo %{_datadir}/java/%{name}/hadoop-yarn-registry-tests.jar >> .mfiles-hadoop-tests
|
||||
#install -m 0755 %{name}-yarn-project/%{name}-yarn/%{name}-yarn-registry/target/hadoop-yarn-registry-%{version}-test-sources.jar %{buildroot}%{_datadir}/java/%{name}/hadoop-yarn-registry-test-sources.jar
|
||||
#echo %{_datadir}/java/%{name}/hadoop-yarn-registry-test-sources.jar >> .mfiles-hadoop-test-sources
|
||||
install -m 0755 %{name}-yarn-project/%{name}-yarn/%{name}-yarn-server/%{name}-yarn-server-resourcemanager/target/hadoop-yarn-server-resourcemanager-%{version}-tests.jar %{buildroot}%{_datadir}/java/%{name}/hadoop-yarn-server-resourcemanager-tests.jar
|
||||
echo %{_datadir}/java/%{name}/hadoop-yarn-server-resourcemanager-tests.jar >> .mfiles-hadoop-tests
|
||||
install -m 0755 %{name}-yarn-project/%{name}-yarn/%{name}-yarn-server/%{name}-yarn-server-sharedcachemanager/target/hadoop-yarn-server-sharedcachemanager-%{version}-tests.jar %{buildroot}%{_datadir}/java/%{name}/hadoop-yarn-server-sharedcachemanager-tests.jar
|
||||
@ -890,6 +904,9 @@ sed -i "s|{|%{_var}/log/hadoop-hdfs/*.audit\n{|" %{buildroot}%{_sysconfdir}/logr
|
||||
# hdfs init script
|
||||
install -m 755 %{SOURCE8} %{buildroot}%{_sbindir}
|
||||
|
||||
chrpath -d %{buildroot}%{_bindir}/container-executor
|
||||
chrpath -d %{buildroot}%{_bindir}/test-container-executor
|
||||
|
||||
%pretrans -p <lua> hdfs
|
||||
path = "%{_datadir}/%{name}/hdfs/webapps"
|
||||
st = posix.stat(path)
|
||||
@ -1047,7 +1064,6 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/tomcat@httpfs
|
||||
%config(noreplace) %{_sysconfdir}/%{name}/httpfs-env.sh
|
||||
%config(noreplace) %{_sysconfdir}/%{name}/httpfs-log4j.properties
|
||||
%config(noreplace) %{_sysconfdir}/%{name}/httpfs-signature.secret
|
||||
%config(noreplace) %{_sysconfdir}/%{name}/httpfs-site.xml
|
||||
%attr(-,tomcat,tomcat) %config(noreplace) %{_sysconfdir}/%{name}/tomcat/*.*
|
||||
%attr(0775,root,tomcat) %dir %{_sysconfdir}/%{name}/tomcat
|
||||
@ -1110,6 +1126,11 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/%{name}/container-executor.cfg
|
||||
|
||||
%changelog
|
||||
* Tue Sep 13 2022 xiexing <xiexing4@hisilicon.com> - 3.3.3-1
|
||||
- update version to fix CVE-2021-37404 CVE-2022-26612
|
||||
CVE-2021-33036 CVE-2022-25168
|
||||
and add chrpath to solve check_rpath warning
|
||||
|
||||
* Fri Feb 25 2022 wangkai <wangkai385@huawei.com> - 3.2.1-12
|
||||
- Rebuild for fix log4j1.x cves
|
||||
|
||||
|
||||
BIN
node-12.22.1-linux-x64.tar.gz
Normal file
BIN
node-12.22.1-linux-x64.tar.gz
Normal file
Binary file not shown.
BIN
node-v12.22.1-linux-arm64.tar.gz
Normal file
BIN
node-v12.22.1-linux-arm64.tar.gz
Normal file
Binary file not shown.
BIN
yarn-v1.22.5.tar.gz
Normal file
BIN
yarn-v1.22.5.tar.gz
Normal file
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user