Skip to content

Commit dcecda1

Browse files
razvanrazvan
committed
fix(hive): CVE-2023-34455 
1 parent 812fdcf commit dcecda1

File tree

2 files changed

+29
-0
lines changed

2 files changed

+29
-0
lines changed

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ All notable changes to this project will be documented in this file.
6666
- spark: Fix CVE-2024-36114 in Spark 3.5.1 by upgrading a dependency.
6767
Spark 3.5.2 is not affected. ([#921])
6868
- trino: Correctly report Trino version ([#881]).
69+
- hive: Fix CVE-2023-34455 in Hive 4.0.0 by excluding snappy-java from the build ([#929])
6970

7071
[#783]: https://github.com/stackabletech/docker-images/pull/783
7172
[#797]: https://github.com/stackabletech/docker-images/pull/797
@@ -111,6 +112,7 @@ All notable changes to this project will be documented in this file.
111112
[#919]: https://github.com/stackabletech/docker-images/pull/919
112113
[#920]: https://github.com/stackabletech/docker-images/pull/920
113114
[#921]: https://github.com/stackabletech/docker-images/pull/921
115+
[#929]: https://github.com/stackabletech/docker-images/pull/929
114116

115117
## [24.7.0] - 2024-07-24
116118

hive/stackable/patches/4.0.0/04-exclude-snappy.patch

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
Fix CVE-2023-34455
2+
see https://github.com/stackabletech/vulnerabilities/issues/558
3+
and https://github.com/stackabletech/vulnerabilities/issues/862
4+
5+
Exclude snappy-java 1.1.8 from the standalone-metastore artifact
6+
and use the version shipped with the Hadoop binaries patched by
7+
Stackable with https://github.com/stackabletech/docker-images/blob/main/hadoop/stackable/patches/3.3.6/007-snappy-cves-3.3.6.patch
8+
9+
diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
10+
index 2982a45ca0..1c4f2ddbf4 100644
11+
--- a/standalone-metastore/pom.xml
12+
+++ b/standalone-metastore/pom.xml
13+
@@ -204,6 +204,14 @@
14+
<artifactId>hadoop-common</artifactId>
15+
<version>${hadoop.version}</version>
16+
<exclusions>
17+
+ <!-- Fix for CVE-2023-34455
18+
+ snappy-java can be excluded since a newer version is packaged
19+
+ with the Hadoop binaries.
20+
+ -->
21+
+ <exclusion>
22+
+ <groupId>org.xerial.snappy</groupId>
23+
+ <artifactId>snappy-java</artifactId>
24+
+ </exclusion>
25+
<exclusion>
26+
<groupId>org.apache.zookeeper</groupId>
27+
<artifactId>zookeeper</artifactId>

0 commit comments

Comments
 (0)