Skip to content

Commit

Permalink
ODP-2013: ODP-1095 Critical CVE fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@basapuram-kumar
basapuram-kumar committed Aug 12, 2024
1 parent 47e5980 commit 4095c5c
Show file tree
Hide file tree
Showing 74 changed files with 713 additions and 297 deletions.
46 changes: 33 additions & 13 deletions hadoop-client-modules/hadoop-client-minicluster/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,10 @@
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.hadoop.thirdparty</groupId>
<artifactId>hadoop-shaded-avro_1_11</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.curator</groupId>
<artifactId>curator-client</artifactId>
Expand Down Expand Up @@ -417,29 +421,25 @@
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.sun.jersey</groupId>
<groupId>com.github.pjfanning</groupId>
<artifactId>jersey-json</artifactId>
<optional>true</optional>
<exclusions>
<exclusion>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-core-asl</artifactId>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</exclusion>
<exclusion>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-jaxrs</artifactId>
<groupId>com.fasterxml.jackson.jaxrs</groupId>
<artifactId>jackson-jaxrs-json-provider</artifactId>
</exclusion>
<exclusion>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-xc</artifactId>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-impl</artifactId>
</exclusion>
</exclusions>
</dependency>
Expand All @@ -452,6 +452,20 @@
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-servlet</artifactId>
<optional>true</optional>
exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.enterprise</groupId>
<artifactId>cdi-api</artifactId>
</exclusion>
<exclusion>
<groupId>ch.qos.cal10n</groupId>
<artifactId>cal10n-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- skip org.apache.avro:avro-ipc because it doesn't look like hadoop-common actually uses it -->
<dependency>
Expand Down Expand Up @@ -729,6 +743,12 @@
<exclude>META-INF/versions/9/module-info.class</exclude>
</excludes>
</filter>
<filter>
<artifact>com.google.code.gson:gson</artifact>
<excludes>
<exclude>META-INF/versions/9/module-info.class</exclude>
</excludes>
</filter>
<!-- Mockito tries to include its own unrelocated copy of hamcrest. :( -->
<filter>
<artifact>org.mockito:mockito-all</artifact>
Expand Down
22 changes: 21 additions & 1 deletion hadoop-client-modules/hadoop-client/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,14 @@
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-core</artifactId>
</exclusion>
<exclusion>
<groupId>com.github.pjfanning</groupId>
<artifactId>jersey-json</artifactId>
</exclusion>
<exclusion>
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
</exclusion>
<exclusion>
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-json</artifactId>
Expand Down Expand Up @@ -110,6 +118,10 @@
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.hadoop.thirdparty</groupId>
<artifactId>hadoop-shaded-avro_1_11</artifactId>
</exclusion>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-server</artifactId>
Expand Down Expand Up @@ -162,14 +174,22 @@
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.hadoop.thirdparty</groupId>
<artifactId>hadoop-shaded-avro_1_11</artifactId>
</exclusion>
<exclusion>
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-core</artifactId>
</exclusion>
<exclusion>
<groupId>com.sun.jersey</groupId>
<groupId>com.github.pjfanning</groupId>
<artifactId>jersey-json</artifactId>
</exclusion>
<exclusion>
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-all</artifactId>
Expand Down
40 changes: 36 additions & 4 deletions hadoop-common-project/hadoop-common/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,12 +133,32 @@
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-servlet</artifactId>
<scope>compile</scope>
<exclusions>
<exclusion>
<groupId>javax.enterprise</groupId>
<artifactId>cdi-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
<exclusion>
<groupId>ch.qos.cal10n</groupId>
<artifactId>cal10n-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<!-- Used, even though 'mvn dependency:analyze' doesn't find it -->
<groupId>com.sun.jersey</groupId>
<groupId>com.github.pjfanning</groupId>
<artifactId>jersey-json</artifactId>
<scope>compile</scope>
<exclusions>
<exclusion>
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.sun.jersey</groupId>
Expand All @@ -149,7 +169,6 @@
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<scope>compile</scope>

<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
Expand Down Expand Up @@ -196,6 +215,14 @@
<artifactId>commons-lang3</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<!--
adding jettison as direct dependency (as jersey-json's jettison dependency is vulnerable with verison 1.1),
so those who depends on hadoop-common externally will get the non-vulnerable jettison
-->
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
Expand All @@ -217,8 +244,8 @@
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
<groupId>org.apache.hadoop.thirdparty</groupId>
<artifactId>hadoop-shaded-avro_1_11</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
Expand Down Expand Up @@ -330,6 +357,10 @@
<groupId>org.apache.kerby</groupId>
<artifactId>kerb-simplekdc</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
Expand Down Expand Up @@ -485,6 +516,7 @@
<copy toDir="${project.build.directory}/test-classes">
<fileset dir="${basedir}/src/main/conf"/>
</copy>
<replace dir="${project.build.directory}/generated-test-sources/java" token="org.apache.avro" value="org.apache.hadoop.thirdparty.avro"/>
</target>
</configuration>
</execution>
Expand Down
2 changes: 1 addition & 1 deletion hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/AvroFSInput.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
import java.io.Closeable;
import java.io.IOException;

import org.apache.avro.file.SeekableInput;
import org.apache.hadoop.thirdparty.avro.file.SeekableInput;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;

Expand Down
2 changes: 1 addition & 1 deletion hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/Path.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
import java.net.URISyntaxException;
import java.util.regex.Pattern;

import org.apache.avro.reflect.Stringable;
import org.apache.hadoop.thirdparty.avro.reflect.Stringable;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.HadoopIllegalArgumentException;
import org.apache.hadoop.classification.InterfaceAudience;
Expand Down
16 changes: 8 additions & 8 deletions hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/Display.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,14 @@
import java.util.LinkedList;
import java.util.zip.GZIPInputStream;

import org.apache.avro.Schema;
import org.apache.avro.file.DataFileReader;
import org.apache.avro.file.FileReader;
import org.apache.avro.generic.GenericDatumReader;
import org.apache.avro.generic.GenericDatumWriter;
import org.apache.avro.io.DatumWriter;
import org.apache.avro.io.EncoderFactory;
import org.apache.avro.io.JsonEncoder;
import org.apache.hadoop.thirdparty.avro.Schema;
import org.apache.hadoop.thirdparty.avro.file.DataFileReader;
import org.apache.hadoop.thirdparty.avro.file.FileReader;
import org.apache.hadoop.thirdparty.avro.generic.GenericDatumReader;
import org.apache.hadoop.thirdparty.avro.generic.GenericDatumWriter;
import org.apache.hadoop.thirdparty.avro.io.DatumWriter;
import org.apache.hadoop.thirdparty.avro.io.EncoderFactory;
import org.apache.hadoop.thirdparty.avro.io.JsonEncoder;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
Expand Down
2 changes: 1 addition & 1 deletion hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/Text.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
import java.text.StringCharacterIterator;
import java.util.Arrays;

import org.apache.avro.reflect.Stringable;
import org.apache.hadoop.thirdparty.avro.reflect.Stringable;

import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
Expand Down
12 changes: 6 additions & 6 deletions ...p-common/src/main/java/org/apache/hadoop/io/serializer/avro/AvroReflectSerialization.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@
import java.util.HashSet;
import java.util.Set;

import org.apache.avro.Schema;
import org.apache.avro.io.DatumReader;
import org.apache.avro.io.DatumWriter;
import org.apache.avro.reflect.ReflectData;
import org.apache.avro.reflect.ReflectDatumReader;
import org.apache.avro.reflect.ReflectDatumWriter;
import org.apache.hadoop.thirdparty.avro.Schema;
import org.apache.hadoop.thirdparty.avro.io.DatumReader;
import org.apache.hadoop.thirdparty.avro.io.DatumWriter;
import org.apache.hadoop.thirdparty.avro.reflect.ReflectData;
import org.apache.hadoop.thirdparty.avro.reflect.ReflectDatumReader;
import org.apache.hadoop.thirdparty.avro.reflect.ReflectDatumWriter;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;

Expand Down
14 changes: 7 additions & 7 deletions ...t/hadoop-common/src/main/java/org/apache/hadoop/io/serializer/avro/AvroSerialization.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,13 @@
import java.io.InputStream;
import java.io.OutputStream;

import org.apache.avro.Schema;
import org.apache.avro.io.BinaryDecoder;
import org.apache.avro.io.BinaryEncoder;
import org.apache.avro.io.DatumReader;
import org.apache.avro.io.DatumWriter;
import org.apache.avro.io.DecoderFactory;
import org.apache.avro.io.EncoderFactory;
import org.apache.hadoop.thirdparty.avro.Schema;
import org.apache.hadoop.thirdparty.avro.io.BinaryDecoder;
import org.apache.hadoop.thirdparty.avro.io.BinaryEncoder;
import org.apache.hadoop.thirdparty.avro.io.DatumReader;
import org.apache.hadoop.thirdparty.avro.io.DatumWriter;
import org.apache.hadoop.thirdparty.avro.io.DecoderFactory;
import org.apache.hadoop.thirdparty.avro.io.EncoderFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configured;
Expand Down
12 changes: 6 additions & 6 deletions ...-common/src/main/java/org/apache/hadoop/io/serializer/avro/AvroSpecificSerialization.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@

package org.apache.hadoop.io.serializer.avro;

import org.apache.avro.Schema;
import org.apache.avro.io.DatumReader;
import org.apache.avro.io.DatumWriter;
import org.apache.avro.specific.SpecificDatumReader;
import org.apache.avro.specific.SpecificDatumWriter;
import org.apache.avro.specific.SpecificRecord;
import org.apache.hadoop.thirdparty.avro.Schema;
import org.apache.hadoop.thirdparty.avro.io.DatumReader;
import org.apache.hadoop.thirdparty.avro.io.DatumWriter;
import org.apache.hadoop.thirdparty.avro.specific.SpecificDatumReader;
import org.apache.hadoop.thirdparty.avro.specific.SpecificDatumWriter;
import org.apache.hadoop.thirdparty.avro.specific.SpecificRecord;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;

Expand Down
6 changes: 4 additions & 2 deletions ...on-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/MetricsJsonBuilder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,10 @@
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.map.ObjectWriter;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectWriter;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down
2 changes: 1 addition & 1 deletion ...adoop-common/src/main/java/org/apache/hadoop/security/token/delegation/DelegationKey.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@

import javax.crypto.SecretKey;

import org.apache.avro.reflect.Nullable;
import org.apache.hadoop.thirdparty.avro.reflect.Nullable;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.io.Writable;
Expand Down
12 changes: 6 additions & 6 deletions hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/io/AvroTestUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@
import java.io.ByteArrayOutputStream;
import java.lang.reflect.Type;

import org.apache.avro.Schema;
import org.apache.avro.io.EncoderFactory;
import org.apache.avro.reflect.ReflectData;
import org.apache.avro.reflect.ReflectDatumWriter;
import org.apache.avro.reflect.ReflectDatumReader;
import org.apache.avro.io.DecoderFactory;
import org.apache.hadoop.thirdparty.avro.Schema;
import org.apache.hadoop.thirdparty.avro.io.EncoderFactory;
import org.apache.hadoop.thirdparty.avro.reflect.ReflectData;
import org.apache.hadoop.thirdparty.avro.reflect.ReflectDatumWriter;
import org.apache.hadoop.thirdparty.avro.reflect.ReflectDatumReader;
import org.apache.hadoop.thirdparty.avro.io.DecoderFactory;

import static org.junit.Assert.assertEquals;

Expand Down
3 changes: 2 additions & 1 deletion ...-common-project/hadoop-common/src/test/java/org/apache/hadoop/io/TestEnumSetWritable.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,8 @@ public void testSerializeAndDeserializeNull() throws IOException {
@Test
public void testAvroReflect() throws Exception {
String schema = "{\"type\":\"array\",\"items\":{\"type\":\"enum\","
+ "\"name\":\"TestEnumSet\","
+ "\"name\":\"TestEnumSet\","
+ "\"namespace\":\"org.apache.hadoop.io.TestEnumSetWritable\","
+ "\"namespace\":\"org.apache.hadoop.io.TestEnumSetWritable\","
+ "\"symbols\":[\"CREATE\",\"OVERWRITE\",\"APPEND\"]},"
+ "\"java-class\":\"org.apache.hadoop.io.EnumSetWritable\"}";
Expand Down
2 changes: 1 addition & 1 deletion ...doop-common/src/test/java/org/apache/hadoop/io/serializer/avro/TestAvroSerialization.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ public class TestAvroSerialization {
@Test
public void testSpecific() throws Exception {
AvroRecord before = new AvroRecord();
before.intField = 5;
before.setIntField(5);
AvroRecord after = SerializationTestUtil.testSerialization(conf, before);
assertEquals(before, after);
}
Expand Down
Loading

0 comments on commit 4095c5c

Please sign in to comment.