Skip to content

HADOOP-18655. Upgrade kerby to 2.0.3 due to CVE-2023-25613 #5458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 8, 2023
Merged

HADOOP-18655. Upgrade kerby to 2.0.3 due to CVE-2023-25613 #5458

merged 1 commit into from
Mar 8, 2023

Conversation

rohit-kb
Copy link
Contributor

@rohit-kb rohit-kb commented Mar 7, 2023
edited
Loading

Description of PR

Upgrading kerby to 2.0.3 due to the CVE https://nvd.nist.gov/vuln/detail/CVE-2023-25613

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 1m 12s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 1s codespell was not available.
+0 🆗 detsecrets 0m 1s detect-secrets was not available.
+0 🆗 xmllint 0m 1s xmllint was not available.
+0 🆗 shelldocs 0m 1s Shelldocs was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+0 🆗 mvndep 15m 5s Maven dependency ordering for branch
+1 💚 mvninstall 28m 51s trunk passed
+1 💚 compile 26m 0s trunk passed with JDK Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1
+1 💚 compile 22m 11s trunk passed with JDK Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
+1 💚 mvnsite 26m 32s trunk passed
+1 💚 javadoc 8m 48s trunk passed with JDK Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1
+1 💚 javadoc 7m 21s trunk passed with JDK Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
+1 💚 shadedclient 38m 39s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+0 🆗 mvndep 0m 43s Maven dependency ordering for patch
+1 💚 mvninstall 25m 19s the patch passed
+1 💚 compile 24m 58s the patch passed with JDK Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1
+1 💚 javac 24m 58s the patch passed
+1 💚 compile 21m 56s the patch passed with JDK Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
+1 💚 javac 21m 56s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 mvnsite 21m 30s the patch passed
+1 💚 shellcheck 0m 0s No new issues.
+1 💚 javadoc 8m 21s the patch passed with JDK Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1
+1 💚 javadoc 7m 33s the patch passed with JDK Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
+1 💚 shadedclient 42m 59s patch has no errors when building and testing our client artifacts.
_ Other Tests _
-1 ❌ unit 760m 42s /patch-unit-root.txt root in the patch passed.
+1 💚 asflicense 1m 25s The patch does not generate ASF License warnings.
1061m 25s
Reason Tests
Failed junit tests hadoop.hdfs.TestRollingUpgrade
hadoop.hdfs.server.namenode.ha.TestObserverNode
hadoop.hdfs.server.datanode.TestDirectoryScanner
Subsystem Report/Notes
Docker ClientAPI=1.42 ServerAPI=1.42 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5458/1/artifact/out/Dockerfile
GITHUB PR #5458
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname Linux 713bb57cb791 4.15.0-200-generic #211-Ubuntu SMP Thu Nov 24 18:16:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / b5fa269
Default Java Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5458/1/testReport/
Max. process+thread count 2384 (vs. ulimit of 5500)
modules C: hadoop-project . U: .
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5458/1/console
versions git=2.25.1 maven=3.6.3 shellcheck=0.7.0
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

steveloughran
steveloughran reviewed Mar 8, 2023
View reviewed changes
Copy link
Contributor

@steveloughran steveloughran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
+1

@steveloughran steveloughran merged commit 487368c into apache:trunk Mar 8, 2023
@steveloughran
Copy link
Contributor

merged to trunk. thanks!

@rohit-kb can you do a pr with this patch cherrypicked into branch-3.3? that'll get into people's hands faster.

we are doing a 3.3.5 RC this week, but I am reluctant to do a last minute change here. How exposed do you think hadoop apps are exposed to this?

@rohit-kb
Copy link
Contributor Author

rohit-kb commented Mar 8, 2023

Thanks @steveloughran for the review and the update. Since there is no reference to LdapIdentityBackend, so I assume we are not porting it to branch-3.3 then? In which case, I will mark the jira as resolved.

@steveloughran
Copy link
Contributor

do a pr for 3.3 anyway, to stop people seeing warnings in audits of depenencies.

it is not needed in the 3.3.5 release

rohit-kb added a commit to rohit-kb/hadoop that referenced this pull request Mar 16, 2023
@rohit-kb
HADOOP-18655. Upgrade kerby to 2.0.3 due to CVE-2023-25613 (apache#5458)
a3ce05a 
Upgrade kerby to 2.0.3 due to the CVE https://nvd.nist.gov/vuln/detail/CVE-2023-25613

Contributed by Rohit Kumar Badeau
jojochuang pushed a commit to jojochuang/hadoop that referenced this pull request May 23, 2023
@rohit-kb
CDPD-50289: HADOOP-18655. Upgrade kerby to 2.0.3 due to CVE-2023-25613 (
a1c12c1 
apache#5458)

Upgrade kerby to 2.0.3 due to the CVE https://nvd.nist.gov/vuln/detail/CVE-2023-25613

Contributed by Rohit Kumar Badeau

(cherry-picked from 487368c)

Change-Id: I92655865e69d27299856e9dedfcfc28d432a65b7
ferdelyi pushed a commit to ferdelyi/hadoop that referenced this pull request May 26, 2023
@rohit-kb @ferdelyi
HADOOP-18655. Upgrade kerby to 2.0.3 due to CVE-2023-25613 (apache#5458)
40ffd17 
Upgrade kerby to 2.0.3 due to the CVE https://nvd.nist.gov/vuln/detail/CVE-2023-25613


Contributed by Rohit Kumar Badeau
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steveloughran steveloughran steveloughran left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rohit-kb @hadoop-yetus @steveloughran