Skip to content

HADOOP-19225. Upgrade Jetty to 9.4.57.v20241219 due to CVE-2024-8184 #7116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 29, 2025
Merged

HADOOP-19225. Upgrade Jetty to 9.4.57.v20241219 due to CVE-2024-8184 #7116

merged 2 commits into from
Jan 29, 2025

Conversation

pjfanning
Copy link
Contributor

@pjfanning pjfanning commented Oct 15, 2024
edited
Loading

Description of PR

CVE-2024-8184 - Might as well use latest Jetty release 9.4.57.v20241219 because this release line is EOL and only serious bugs are fixed in it

HADOOP-19225

How was this patch tested?

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 0m 51s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+0 🆗 xmllint 0m 0s xmllint was not available.
+0 🆗 shelldocs 0m 0s Shelldocs was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+0 🆗 mvndep 14m 27s Maven dependency ordering for branch
+1 💚 mvninstall 36m 3s trunk passed
+1 💚 compile 19m 41s trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚 compile 18m 24s trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚 mvnsite 28m 34s trunk passed
+1 💚 javadoc 12m 5s trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚 javadoc 8m 21s trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚 shadedclient 59m 16s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+0 🆗 mvndep 0m 57s Maven dependency ordering for patch
+1 💚 mvninstall 35m 53s the patch passed
+1 💚 compile 19m 8s the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚 javac 19m 8s the patch passed
+1 💚 compile 18m 2s the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚 javac 18m 2s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 mvnsite 20m 34s the patch passed
+1 💚 shellcheck 0m 0s No new issues.
+1 💚 javadoc 10m 29s the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚 javadoc 8m 9s the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚 shadedclient 58m 38s patch has no errors when building and testing our client artifacts.
_ Other Tests _
-1 ❌ unit 723m 13s /patch-unit-root.txt root in the patch failed.
+1 💚 asflicense 1m 5s The patch does not generate ASF License warnings.
1058m 7s
Reason Tests
Unreaped Processes root:2
Failed junit tests hadoop.hdfs.TestRollingUpgrade
Subsystem Report/Notes
Docker ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/1/artifact/out/Dockerfile
GITHUB PR #7116
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname Linux 7aab4197d600 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / a86117d
Default Java Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Unreaped Processes Log https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/1/artifact/out/patch-unit-root-reaper.txt
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/1/testReport/
Max. process+thread count 3846 (vs. ulimit of 5500)
modules C: hadoop-project . U: .
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/1/console
versions git=2.25.1 maven=3.6.3 shellcheck=0.7.0
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

@NihalJain NihalJain mentioned this pull request Oct 23, 2024
Closed
4 tasks
@ayushtkn
Copy link
Member

I think we should rebase & retry the build, not sure what does this Unreaped Processes mean in the test result

image

@pjfanning
Copy link
Contributor Author

rebased

@jojochuang
Copy link
Contributor

Please update the subject and include "Jetty" in it.

@pjfanning pjfanning changed the title HADOOP-19225. Upgrade to 9.4.56.v20240826 due to CVE-2024-8184 HADOOP-19225. Upgrade Jetty to 9.4.56.v20240826 due to CVE-2024-8184 Oct 24, 2024
@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 18m 1s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 1s codespell was not available.
+0 🆗 detsecrets 0m 1s detect-secrets was not available.
+0 🆗 xmllint 0m 1s xmllint was not available.
+0 🆗 shelldocs 0m 1s Shelldocs was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+0 🆗 mvndep 14m 40s Maven dependency ordering for branch
+1 💚 mvninstall 36m 48s trunk passed
-1 ❌ compile 0m 27s /branch-compile-root-jdkUbuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04.txt root in trunk failed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04.
+1 💚 compile 18m 11s trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚 mvnsite 26m 13s trunk passed
+1 💚 javadoc 10m 31s trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚 javadoc 7m 53s trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚 shadedclient 56m 27s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+0 🆗 mvndep 0m 57s Maven dependency ordering for patch
+1 💚 mvninstall 34m 38s the patch passed
-1 ❌ compile 0m 27s /patch-compile-root-jdkUbuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04.txt root in the patch failed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04.
-1 ❌ javac 0m 27s /patch-compile-root-jdkUbuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04.txt root in the patch failed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04.
+1 💚 compile 17m 20s the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚 javac 17m 20s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 mvnsite 19m 52s the patch passed
+1 💚 shellcheck 0m 0s No new issues.
+1 💚 javadoc 10m 24s the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚 javadoc 7m 46s the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚 shadedclient 57m 19s patch has no errors when building and testing our client artifacts.
_ Other Tests _
-1 ❌ unit 802m 48s /patch-unit-root.txt root in the patch passed.
+1 💚 asflicense 1m 36s The patch does not generate ASF License warnings.
1109m 3s
Reason Tests
Failed junit tests hadoop.hdfs.server.federation.router.TestRouterClientRejectOverload
Subsystem Report/Notes
Docker ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/2/artifact/out/Dockerfile
GITHUB PR #7116
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname Linux 880b6ad495f8 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 35f2b84
Default Java Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/2/testReport/
Max. process+thread count 3699 (vs. ulimit of 5500)
modules C: hadoop-project . U: .
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/2/console
versions git=2.25.1 maven=3.6.3 shellcheck=0.7.0
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

ayushtkn
ayushtkn approved these changes Oct 26, 2024
View reviewed changes
Copy link
Member

@ayushtkn ayushtkn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

The JDK-11 failure is known & being tracked separately

@pjfanning pjfanning mentioned this pull request Oct 26, 2024
Open
@pjfanning pjfanning closed this Dec 30, 2024
@pjfanning pjfanning deleted the HADOOP-19225-jetty branch December 30, 2024 20:52
@pjfanning pjfanning restored the HADOOP-19225-jetty branch January 22, 2025 08:30
@pjfanning pjfanning reopened this Jan 22, 2025
@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 0m 52s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+0 🆗 xmllint 0m 0s xmllint was not available.
+0 🆗 shelldocs 0m 0s Shelldocs was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+0 🆗 mvndep 5m 44s Maven dependency ordering for branch
+1 💚 mvninstall 36m 15s trunk passed
+1 💚 compile 21m 16s trunk passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚 compile 17m 45s trunk passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚 mvnsite 20m 0s trunk passed
+1 💚 javadoc 10m 6s trunk passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚 javadoc 7m 25s trunk passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚 shadedclient 55m 20s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+0 🆗 mvndep 0m 40s Maven dependency ordering for patch
+1 💚 mvninstall 35m 23s the patch passed
+1 💚 compile 19m 15s the patch passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚 javac 19m 15s the patch passed
+1 💚 compile 17m 45s the patch passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚 javac 17m 45s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 mvnsite 19m 39s the patch passed
+1 💚 shellcheck 0m 0s No new issues.
+1 💚 javadoc 9m 58s the patch passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚 javadoc 7m 28s the patch passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚 shadedclient 56m 24s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 397m 14s root in the patch passed.
+1 💚 asflicense 1m 12s The patch does not generate ASF License warnings.
708m 6s
Subsystem Report/Notes
Docker ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/2/artifact/out/Dockerfile
GITHUB PR #7116
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname Linux b943858af5c0 5.15.0-125-generic #135-Ubuntu SMP Fri Sep 27 13:53:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 07781a1
Default Java Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/2/testReport/
Max. process+thread count 3565 (vs. ulimit of 5500)
modules C: hadoop-project . U: .
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/2/console
versions git=2.25.1 maven=3.6.3 shellcheck=0.7.0
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

@pjfanning
Copy link
Contributor Author

@slfan1989 @ayushtkn @steveloughran would it be possible to merge this (if it is ok)?

ayushtkn
ayushtkn reviewed Jan 28, 2025
View reviewed changes
Copy link
Member

@ayushtkn ayushtkn left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have 9.4.57.v20241219 as well released now, can we move to it directly?

@pjfanning pjfanning changed the title HADOOP-19225. Upgrade Jetty to 9.4.56.v20240826 due to CVE-2024-8184 HADOOP-19225. Upgrade Jetty to 9.4.57.v20241219 due to CVE-2024-8184 Jan 28, 2025
@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 18m 13s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+0 🆗 xmllint 0m 0s xmllint was not available.
+0 🆗 shelldocs 0m 0s Shelldocs was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+0 🆗 mvndep 6m 13s Maven dependency ordering for branch
+1 💚 mvninstall 36m 27s trunk passed
+1 💚 compile 20m 5s trunk passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚 compile 17m 52s trunk passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚 mvnsite 21m 47s trunk passed
+1 💚 javadoc 10m 12s trunk passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚 javadoc 7m 37s trunk passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚 shadedclient 56m 3s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+0 🆗 mvndep 0m 40s Maven dependency ordering for patch
+1 💚 mvninstall 34m 49s the patch passed
+1 💚 compile 19m 8s the patch passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚 javac 19m 8s the patch passed
+1 💚 compile 17m 33s the patch passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚 javac 17m 33s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 mvnsite 19m 35s the patch passed
+1 💚 shellcheck 0m 0s No new issues.
+1 💚 javadoc 10m 2s the patch passed with JDK Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04
+1 💚 javadoc 7m 42s the patch passed with JDK Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
+1 💚 shadedclient 56m 42s patch has no errors when building and testing our client artifacts.
_ Other Tests _
-1 ❌ unit 392m 16s /patch-unit-root.txt root in the patch passed.
+1 💚 asflicense 1m 16s The patch does not generate ASF License warnings.
722m 5s
Reason Tests
Failed junit tests hadoop.hdfs.TestRollingUpgrade
Subsystem Report/Notes
Docker ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/3/artifact/out/Dockerfile
GITHUB PR #7116
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname Linux 943ad95d7e3d 5.15.0-125-generic #135-Ubuntu SMP Fri Sep 27 13:53:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 643ab22
Default Java Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.25+9-post-Ubuntu-1ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_432-8u432-gaus1-0ubuntu220.04-ga
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/3/testReport/
Max. process+thread count 3718 (vs. ulimit of 5500)
modules C: hadoop-project . U: .
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7116/3/console
versions git=2.25.1 maven=3.6.3 shellcheck=0.7.0
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

@pjfanning
Copy link
Contributor Author

upgraded to 9.4.57

@ayushtkn ayushtkn merged commit a592666 into apache:trunk Jan 29, 2025
1 of 4 checks passed
YanivKunda pushed a commit to YanivKunda/hadoop that referenced this pull request Mar 23, 2025
@pjfanning @YanivKunda
HADOOP-19225. Upgrade Jetty to 9.4.57.v20241219 due to CVE-2024-8184 (a…
a93c9bf 
…pache#7116). Contributed by PJ Fanning.
@pjfanning pjfanning deleted the HADOOP-19225-jetty branch May 21, 2025 13:15
pjfanning added a commit to pjfanning/hadoop that referenced this pull request May 21, 2025
@pjfanning
HADOOP-19225. Upgrade Jetty to 9.4.57.v20241219 due to CVE-2024-8184 (a…
7425721 
…pache#7116). Contributed by PJ Fanning.
@pjfanning pjfanning mentioned this pull request May 21, 2025
Open
pjfanning added a commit to pjfanning/hadoop that referenced this pull request Jun 4, 2025
@pjfanning
HADOOP-19225. Upgrade Jetty to 9.4.57.v20241219 due to CVE-2024-8184 (a…
4d24876 
…pache#7116). Contributed by PJ Fanning.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ayushtkn ayushtkn ayushtkn approved these changes

@NihalJain NihalJain NihalJain approved these changes

@zeekling zeekling zeekling approved these changes

@slfan1989 slfan1989 slfan1989 approved these changes

Assignees
No one assigned
Labels
build trunk
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@pjfanning @hadoop-yetus @ayushtkn @jojochuang @NihalJain @zeekling @slfan1989