[vulnerability](CVE-2022-1292) fix CVE-2022-1292 (apache#15639)

amorynan · Jan 5, 2023 · 77ffafb · 77ffafb
1 parent 9d1f02c
commit 77ffafb
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 6 deletions.
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlHandshakePacket.java
@@ -23,7 +23,9 @@ public class MysqlHandshakePacket extends MysqlPacket {
     // Version of handshake packet, since MySQL 3.21.0, Handshake of protocol 10 is used
     private static final int PROTOCOL_VERSION = 10;
     // JDBC uses this version to check which protocol the server support
-    public static final String SERVER_VERSION = "5.7.37";
+    // Set the patch version to 99 to prevent the vulnerability scanning tool from
+    // falsely reporting MySQL vulnerabilities
+    public static final String SERVER_VERSION = "5.7.99";
     // 33 stands for UTF-8 character set
     private static final int CHARACTER_SET = 33;
     // use default capability for all

diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlHandshakePacketTest.java
@@ -62,7 +62,7 @@ public void testWrite() {
         // assert protocol version
         Assert.assertEquals(10, MysqlProto.readInt1(buffer));
         // server version
-        Assert.assertEquals("5.7.37", new String(MysqlProto.readNulTerminateString(buffer)));
+        Assert.assertEquals("5.7.99", new String(MysqlProto.readNulTerminateString(buffer)));
         // connection id
         Assert.assertEquals(1090, MysqlProto.readInt4(buffer));
         // plugin data 1

diff --git a/thirdparty/CHANGELOG.md b/thirdparty/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 This file contains version of the third-party dependency libraries in the build-env image. The docker build-env image is apache/doris, and the tag is `build-env-${version}`
 
+## v20230105
+- Modified: openssl 1.1.1m -> 1.1.1s fix CVE-2022-1292
+
 ## v20221230
 - Modified: libhdfs3 2.3.2 -> 2.3.4
 

diff --git a/thirdparty/vars.sh b/thirdparty/vars.sh
@@ -61,10 +61,10 @@ LIBEVENT_SOURCE=libevent-release-2.1.12-stable
 LIBEVENT_MD5SUM="0d5a27436bf7ff8253420c8cf09f47ca"
 
 # openssl
-OPENSSL_DOWNLOAD="https://github.com/openssl/openssl/archive/OpenSSL_1_1_1m.tar.gz"
-OPENSSL_NAME=openssl-OpenSSL_1_1_1m.tar.gz
-OPENSSL_SOURCE=openssl-OpenSSL_1_1_1m
-OPENSSL_MD5SUM="710c2368d28f1a25ab92e25b5b9b11ec"
+OPENSSL_DOWNLOAD="https://github.com/openssl/openssl/archive/OpenSSL_1_1_1s.tar.gz"
+OPENSSL_NAME=openssl-OpenSSL_1_1_1s.tar.gz
+OPENSSL_SOURCE=openssl-OpenSSL_1_1_1s
+OPENSSL_MD5SUM="7e79a7560dee77c0758baa33c61af4b4"
 
 # thrift
 THRIFT_DOWNLOAD="http://archive.apache.org/dist/thrift/0.13.0/thrift-0.13.0.tar.gz"