[SPARK-16751] Upgrade derby to 10.12.1.1 #14379
Conversation
## What changes were proposed in this pull request? Version of derby upgraded based on important security info at VersionEye. Test scope added so we don't include it in our final package anyway. NB: I think this should be backported to all previous releases as it is a security problem https://www.versioneye.com/java/org.apache.derby:derby/10.11.1.1 The CVE number is 2015-1832. I also suggest we add a SECURITY tag for JIRAs ## How was this patch tested? Existing tests with the change making sure that we see no new failures. I checked derby 10.12.x and not derby 10.11.x is downloaded to our ~/.m2 folder. I then used dev/make-distribution.sh and checked the dist/jars folder for Spark 2.0: no derby jar is present. I don't know if this would also remove it from the assembly jar in our 1.x branches.
|
Test build #62922 has finished for PR 14379 at commit
|
|
Noticed the /home/jenkins/workspace/SparkPullRequestBuilder/dev/test-dependencies.sh problem, need to regen (I slipped up here when upgrading Hadoop last time too), on the case... |
|
Thanks Adam for putting together the PR - your more efficient at it than me ;-) - to propose upgrading this component and responding to my developer mailing list posting. I agree that this affects multiple prior Spark releases, and hoping this would make the cut for content towards a 1.6.x release at least too. |
|
dev/test-dependencies.sh --replace-manifest then git status to see the changed files, updated the PR |
|
Jenkins retest this please |
|
Does this break the runtime for Spark SQL running locally with Hive support, when there is no external catalog setup? |
|
Test build #62923 has finished for PR 14379 at commit
|
|
Test build #62924 has finished for PR 14379 at commit
|
|
Yeah I don't think you can remove derby from packaging. If you don't have a metastore server, Spark (well, the Hive libraries) will create a local derby database and use it. |
|
Interesting point, and you'd think that requires derby classes, out of curiosity what actually happens and what commands would we use to hit the problem? I've noticed with bin/spark-shell we get a metastore_db folder and derby.log, without derby on our CP do we get NoClassDefFound exceptions? I can give this a try tomorrow if there's no quick answer here If this is the case then we can simply remove the test I added and let's ship derby 10.12.1.1 not 10.11.1.1 instead |
|
I don't know what exact error you'd get, but you would almost certainly get some error. Removing the test scope (and updating the PR title) should be all that's needed here. |
We actually do want to include it in the Spark distribution
a-roberts
changed the title
|
Test build #62940 has finished for PR 14379 at commit
|
|
Test build #62943 has finished for PR 14379 at commit
|
|
Oh I see, so this is actually packaged, not strictly part of tests. Well we should do it anyway. Not sure if the risk actually surfaces in Spark but better to update and be safe. |
|
One failure at https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/62943/testReport/ which looks to be a timeout or flaky test and not caused by this PR, let's test once more to see if it consistent with this as the "age" on Jenkins doesn't help (usually gives us a history of this test failing) [info] DirectKafkaStreamSuite: |
|
Jenkins retest this please |
|
Test build #62973 has finished for PR 14379 at commit
|
Version of derby upgraded based on important security info at VersionEye. Test scope added so we don't include it in our final package anyway. NB: I think this should be backported to all previous releases as it is a security problem https://www.versioneye.com/java/org.apache.derby:derby/10.11.1.1 The CVE number is 2015-1832. I also suggest we add a SECURITY tag for JIRAs Existing tests with the change making sure that we see no new failures. I checked derby 10.12.x and not derby 10.11.x is downloaded to our ~/.m2 folder. I then used dev/make-distribution.sh and checked the dist/jars folder for Spark 2.0: no derby jar is present. I don't know if this would also remove it from the assembly jar in our 1.x branches. Author: Adam Roberts <aroberts@uk.ibm.com> Closes #14379 from a-roberts/patch-4. (cherry picked from commit 04a2c07) Signed-off-by: Sean Owen <sowen@cloudera.com>
|
Merged to master/2.0/1.6 |
Version of derby upgraded based on important security info at VersionEye. Test scope added so we don't include it in our final package anyway. NB: I think this should be backported to all previous releases as it is a security problem https://www.versioneye.com/java/org.apache.derby:derby/10.11.1.1 The CVE number is 2015-1832. I also suggest we add a SECURITY tag for JIRAs Existing tests with the change making sure that we see no new failures. I checked derby 10.12.x and not derby 10.11.x is downloaded to our ~/.m2 folder. I then used dev/make-distribution.sh and checked the dist/jars folder for Spark 2.0: no derby jar is present. I don't know if this would also remove it from the assembly jar in our 1.x branches. Author: Adam Roberts <aroberts@uk.ibm.com> Closes #14379 from a-roberts/patch-4. (cherry picked from commit 04a2c07) Signed-off-by: Sean Owen <sowen@cloudera.com>
|
Shoot, this made the lint check fail in 1.6 since there was a hadoop-1 dependency file to update there too. I'll hot-fix it forward, as that's an easy and trivial thing to correct. |
|
Thanks for merging into 1.6.x and the 2.X lines. |
Version of derby upgraded based on important security info at VersionEye. Test scope added so we don't include it in our final package anyway. NB: I think this should be backported to all previous releases as it is a security problem https://www.versioneye.com/java/org.apache.derby:derby/10.11.1.1 The CVE number is 2015-1832. I also suggest we add a SECURITY tag for JIRAs Existing tests with the change making sure that we see no new failures. I checked derby 10.12.x and not derby 10.11.x is downloaded to our ~/.m2 folder. I then used dev/make-distribution.sh and checked the dist/jars folder for Spark 2.0: no derby jar is present. I don't know if this would also remove it from the assembly jar in our 1.x branches. Author: Adam Roberts <aroberts@uk.ibm.com> Closes apache#14379 from a-roberts/patch-4. (cherry picked from commit 04a2c07) Signed-off-by: Sean Owen <sowen@cloudera.com> (cherry picked from commit b6f6075)
… 10.12.1.1 security fix ## What changes were proposed in this pull request? See #14379 ; I failed to note in back-porting to 1.6 that an additional Hadoop 1 deps file would need to be updated. This makes that change. ## How was this patch tested? Jenkins tests. Author: Sean Owen <sowen@cloudera.com> Closes #14403 from srowen/SPARK-16751.2.
… 10.12.1.1 security fix ## What changes were proposed in this pull request? See apache#14379 ; I failed to note in back-porting to 1.6 that an additional Hadoop 1 deps file would need to be updated. This makes that change. ## How was this patch tested? Jenkins tests. Author: Sean Owen <sowen@cloudera.com> Closes apache#14403 from srowen/SPARK-16751.2. (cherry picked from commit 03913af)
What changes were proposed in this pull request?
Version of derby upgraded based on important security info at VersionEye. Test scope added so we don't include it in our final package anyway. NB: I think this should be backported to all previous releases as it is a security problem https://www.versioneye.com/java/org.apache.derby:derby/10.11.1.1
The CVE number is 2015-1832. I also suggest we add a SECURITY tag for JIRAs
How was this patch tested?
Existing tests with the change making sure that we see no new failures. I checked derby 10.12.x and not derby 10.11.x is downloaded to our ~/.m2 folder.
I then used dev/make-distribution.sh and checked the dist/jars folder for Spark 2.0: no derby jar is present.
I don't know if this would also remove it from the assembly jar in our 1.x branches.