Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(hive): CVE-2023-34455 #929

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix(hive): CVE-2023-34455 #929

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dcecda1
fix(hive): CVE-2023-34455
razvan Nov 11, 2024
e6f166c
main merge
razvan Nov 12, 2024
76748cb
Update patch list after main merge
razvan Nov 12, 2024
b27ec2e
Merge branch 'main' into fix/hive/cve-2023-34455
razvan Nov 12, 2024
5093a15
Merge branch 'main' into fix/hive/cve-2023-34455
razvan Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,14 @@ All notable changes to this project will be documented in this file.

- nifi: Add NiFi hadoop Azure and GCP libraries ([#943]).

### Fixed

- hbase: Fix CVE-2023-34455 in HBase `2.4.18` by upgrading a dependency. ([#934]).
- hive: Fix CVE-2023-34455 in Hive 4.0.0 by excluding snappy-java from the build ([#929])

[#929]: https://github.com/stackabletech/docker-images/pull/929
[#943]: https://github.com/stackabletech/docker-images/pull/943
[#934]: https://github.com/stackabletech/docker-images/pull/934

## [24.11.0] - 2024-11-18

Expand Down Expand Up @@ -78,7 +85,6 @@ All notable changes to this project will be documented in this file.
- nifi: Fix CVE-2024-36114 in NiFi `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]).
- hbase: Fix CVE-2024-36114 in HBase `2.6.0` by upgrading a dependency. ([#925]).
- druid: Fix CVE-2024-36114 in Druid `26.0.0` and `30.0.0` by upgrading a dependency ([#926]).
- hbase: Fix CVE-2023-34455 in HBase `2.4.18` by upgrading a dependency. ([#934]).

[#783]: https://github.com/stackabletech/docker-images/pull/783
[#797]: https://github.com/stackabletech/docker-images/pull/797
Expand Down Expand Up @@ -128,7 +134,6 @@ All notable changes to this project will be documented in this file.
[#924]: https://github.com/stackabletech/docker-images/pull/924
[#925]: https://github.com/stackabletech/docker-images/pull/925
[#926]: https://github.com/stackabletech/docker-images/pull/926
[#934]: https://github.com/stackabletech/docker-images/pull/934

## [24.7.0] - 2024-07-24

Expand Down
27 changes: 27 additions & 0 deletions hive/stackable/patches/4.0.0/05-CVE-2023-34455-exclude-snappy.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
Fix CVE-2023-34455
see https://github.com/stackabletech/vulnerabilities/issues/558
and https://github.com/stackabletech/vulnerabilities/issues/862

Exclude snappy-java 1.1.8 from the standalone-metastore artifact
and use the version shipped with the Hadoop binaries patched by
Stackable with https://github.com/stackabletech/docker-images/blob/main/hadoop/stackable/patches/3.3.6/007-snappy-cves-3.3.6.patch

diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
index cd34884e3b..9bcbdfe7f7 100644
--- a/standalone-metastore/pom.xml
+++ b/standalone-metastore/pom.xml
@@ -210,6 +210,14 @@
<artifactId>hadoop-common</artifactId>
<version>${hadoop.version}</version>
<exclusions>
+ <!-- Fix for CVE-2023-34455
+ snappy-java can be excluded since a newer version is packaged
+ with the Hadoop binaries.
+ -->
+ <exclusion>
+ <groupId>org.xerial.snappy</groupId>
+ <artifactId>snappy-java</artifactId>
+ </exclusion>
<exclusion>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>