Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-14100

Upgrade Jsch jar to latest version to fix vulnerability in old versions

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.7.3, 2.6.5
    • Fix Version/s: 2.9.0, 2.7.4, 3.0.0-alpha4, 2.8.2
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      Recently there was on vulnerability reported on jsch library. Its fixed in latest 0.1.54 version before CVE was made public.
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5725

      So, need to upgrade jsch to latest 0.1.54 version.

      1. HADOOP-14100-01.patch
        0.5 kB
        Vinayakumar B
      2. HADOOP-14100-branch-2.7.patch
        0.5 kB
        Brahma Reddy Battula

        Issue Links

          Activity

          Hide
          vinayrpet Vinayakumar B added a comment -

          Attached the patch to update

          Show
          vinayrpet Vinayakumar B added a comment - Attached the patch to update
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 15s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 14m 8s trunk passed
          +1 compile 0m 8s trunk passed
          +1 mvnsite 0m 11s trunk passed
          +1 mvneclipse 0m 10s trunk passed
          +1 javadoc 0m 9s trunk passed
          +1 mvninstall 0m 7s the patch passed
          +1 compile 0m 6s the patch passed
          +1 javac 0m 6s the patch passed
          +1 mvnsite 0m 9s the patch passed
          +1 mvneclipse 0m 8s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 xml 0m 1s The patch has no ill-formed XML file.
          +1 javadoc 0m 7s the patch passed
          +1 unit 0m 6s hadoop-project in the patch passed.
          +1 asflicense 0m 17s The patch does not generate ASF License warnings.
          16m 50s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:a9ad5d6
          JIRA Issue HADOOP-14100
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12853660/HADOOP-14100-01.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml
          uname Linux 80adbd4100a8 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 8035749
          Default Java 1.8.0_121
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11666/testReport/
          modules C: hadoop-project U: hadoop-project
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11666/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 15s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 14m 8s trunk passed +1 compile 0m 8s trunk passed +1 mvnsite 0m 11s trunk passed +1 mvneclipse 0m 10s trunk passed +1 javadoc 0m 9s trunk passed +1 mvninstall 0m 7s the patch passed +1 compile 0m 6s the patch passed +1 javac 0m 6s the patch passed +1 mvnsite 0m 9s the patch passed +1 mvneclipse 0m 8s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 xml 0m 1s The patch has no ill-formed XML file. +1 javadoc 0m 7s the patch passed +1 unit 0m 6s hadoop-project in the patch passed. +1 asflicense 0m 17s The patch does not generate ASF License warnings. 16m 50s Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue HADOOP-14100 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12853660/HADOOP-14100-01.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml uname Linux 80adbd4100a8 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 8035749 Default Java 1.8.0_121 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11666/testReport/ modules C: hadoop-project U: hadoop-project Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11666/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          stevel@apache.org Steve Loughran added a comment -

          HADOOP-11515 updated jsch 0.1.51 in 2.8+.

          we must not have older versions ol hadoop getting out of sync with the mainline dev branch(es)

          I'd recommend a patch to branch-2 & trunk and then cherry pick this back

          Show
          stevel@apache.org Steve Loughran added a comment - HADOOP-11515 updated jsch 0.1.51 in 2.8+. we must not have older versions ol hadoop getting out of sync with the mainline dev branch(es) I'd recommend a patch to branch-2 & trunk and then cherry pick this back
          Hide
          jojochuang Wei-Chiu Chuang added a comment -

          Set target version as 3.0.0-alpha3 and 2.9.0 so that this one shows up in Hadoop 3.0 release dashboard.

          Show
          jojochuang Wei-Chiu Chuang added a comment - Set target version as 3.0.0-alpha3 and 2.9.0 so that this one shows up in Hadoop 3.0 release dashboard.
          Hide
          arpitagarwal Arpit Agarwal added a comment -

          +1 for the patch.

          Show
          arpitagarwal Arpit Agarwal added a comment - +1 for the patch.
          Hide
          arpitagarwal Arpit Agarwal added a comment -

          Pushed to trunk, branch-2 and branch-2.8.

          Show
          arpitagarwal Arpit Agarwal added a comment - Pushed to trunk, branch-2 and branch-2.8.
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11295 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11295/)
          HADOOP-14100. Upgrade Jsch jar to latest version to fix vulnerability in (arp: rev 159d6c56e7f3aa3ebe45750cf88735287f047b42)

          • (edit) hadoop-project/pom.xml
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11295 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11295/ ) HADOOP-14100 . Upgrade Jsch jar to latest version to fix vulnerability in (arp: rev 159d6c56e7f3aa3ebe45750cf88735287f047b42) (edit) hadoop-project/pom.xml
          Hide
          brahmareddy Brahma Reddy Battula added a comment -

          Uploading the branch-2.7 patch.Kindly Review.

          Show
          brahmareddy Brahma Reddy Battula added a comment - Uploading the branch-2.7 patch.Kindly Review.
          Hide
          stevel@apache.org Steve Loughran added a comment -

          LGTM, but we should do a yetus run too. I'll open this, hit the submit patch button again

          Show
          stevel@apache.org Steve Loughran added a comment - LGTM, but we should do a yetus run too. I'll open this, hit the submit patch button again
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 20s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 8m 7s branch-2.7 passed
          +1 compile 0m 9s branch-2.7 passed with JDK v1.8.0_131
          +1 compile 0m 9s branch-2.7 passed with JDK v1.7.0_121
          +1 mvnsite 0m 14s branch-2.7 passed
          +1 mvneclipse 0m 12s branch-2.7 passed
          +1 javadoc 0m 9s branch-2.7 passed with JDK v1.8.0_131
          +1 javadoc 0m 9s branch-2.7 passed with JDK v1.7.0_121
          +1 mvninstall 0m 7s the patch passed
          +1 compile 0m 6s the patch passed with JDK v1.8.0_131
          +1 javac 0m 6s the patch passed
          +1 compile 0m 7s the patch passed with JDK v1.7.0_121
          +1 javac 0m 7s the patch passed
          +1 mvnsite 0m 10s the patch passed
          +1 mvneclipse 0m 7s the patch passed
          -1 whitespace 0m 0s The patch has 1424 line(s) that end in whitespace. Use git apply --whitespace=fix <<patch_file>>. Refer https://git-scm.com/docs/git-apply
          -1 whitespace 0m 37s The patch 19 line(s) with tabs.
          +1 xml 0m 1s The patch has no ill-formed XML file.
          +1 javadoc 0m 5s the patch passed with JDK v1.8.0_131
          +1 javadoc 0m 7s the patch passed with JDK v1.7.0_121
          +1 unit 0m 7s hadoop-project in the patch passed with JDK v1.7.0_121.
          +1 asflicense 0m 15s The patch does not generate ASF License warnings.
          12m 31s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:c420dfe
          JIRA Issue HADOOP-14100
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12867045/HADOOP-14100-branch-2.7.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml
          uname Linux aa2ce5cd3393 3.13.0-116-generic #163-Ubuntu SMP Fri Mar 31 14:13:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision branch-2.7 / 0a149f3
          Default Java 1.7.0_121
          Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_131 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_121
          whitespace https://builds.apache.org/job/PreCommit-HADOOP-Build/12278/artifact/patchprocess/whitespace-eol.txt
          whitespace https://builds.apache.org/job/PreCommit-HADOOP-Build/12278/artifact/patchprocess/whitespace-tabs.txt
          JDK v1.7.0_121 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/12278/testReport/
          modules C: hadoop-project U: hadoop-project
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/12278/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 20s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 8m 7s branch-2.7 passed +1 compile 0m 9s branch-2.7 passed with JDK v1.8.0_131 +1 compile 0m 9s branch-2.7 passed with JDK v1.7.0_121 +1 mvnsite 0m 14s branch-2.7 passed +1 mvneclipse 0m 12s branch-2.7 passed +1 javadoc 0m 9s branch-2.7 passed with JDK v1.8.0_131 +1 javadoc 0m 9s branch-2.7 passed with JDK v1.7.0_121 +1 mvninstall 0m 7s the patch passed +1 compile 0m 6s the patch passed with JDK v1.8.0_131 +1 javac 0m 6s the patch passed +1 compile 0m 7s the patch passed with JDK v1.7.0_121 +1 javac 0m 7s the patch passed +1 mvnsite 0m 10s the patch passed +1 mvneclipse 0m 7s the patch passed -1 whitespace 0m 0s The patch has 1424 line(s) that end in whitespace. Use git apply --whitespace=fix <<patch_file>>. Refer https://git-scm.com/docs/git-apply -1 whitespace 0m 37s The patch 19 line(s) with tabs. +1 xml 0m 1s The patch has no ill-formed XML file. +1 javadoc 0m 5s the patch passed with JDK v1.8.0_131 +1 javadoc 0m 7s the patch passed with JDK v1.7.0_121 +1 unit 0m 7s hadoop-project in the patch passed with JDK v1.7.0_121. +1 asflicense 0m 15s The patch does not generate ASF License warnings. 12m 31s Subsystem Report/Notes Docker Image:yetus/hadoop:c420dfe JIRA Issue HADOOP-14100 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12867045/HADOOP-14100-branch-2.7.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml uname Linux aa2ce5cd3393 3.13.0-116-generic #163-Ubuntu SMP Fri Mar 31 14:13:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision branch-2.7 / 0a149f3 Default Java 1.7.0_121 Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_131 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_121 whitespace https://builds.apache.org/job/PreCommit-HADOOP-Build/12278/artifact/patchprocess/whitespace-eol.txt whitespace https://builds.apache.org/job/PreCommit-HADOOP-Build/12278/artifact/patchprocess/whitespace-tabs.txt JDK v1.7.0_121 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/12278/testReport/ modules C: hadoop-project U: hadoop-project Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/12278/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          ajisakaa Akira Ajisaka added a comment -

          LGTM, +1

          Show
          ajisakaa Akira Ajisaka added a comment - LGTM, +1
          Hide
          ajisakaa Akira Ajisaka added a comment -

          Committed this to branch-2.7. Thanks Brahma Reddy Battula for the contribution and thanks Steve Loughran for the review!

          Show
          ajisakaa Akira Ajisaka added a comment - Committed this to branch-2.7. Thanks Brahma Reddy Battula for the contribution and thanks Steve Loughran for the review!
          Hide
          brahmareddy Brahma Reddy Battula added a comment -

          Akira Ajisaka thanks a lot for review and commit and Steve Loughran thanks for review.

          Show
          brahmareddy Brahma Reddy Battula added a comment - Akira Ajisaka thanks a lot for review and commit and Steve Loughran thanks for review.
          Hide
          vinodkv Vinod Kumar Vavilapalli added a comment -

          2.8.1 became a security release. Moving fix-version to 2.8.2 after the fact.

          Show
          vinodkv Vinod Kumar Vavilapalli added a comment - 2.8.1 became a security release. Moving fix-version to 2.8.2 after the fact.

            People

            • Assignee:
              vinayrpet Vinayakumar B
              Reporter:
              vinayrpet Vinayakumar B
            • Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development