From 99f3ca16a34e52d244febe85a7ec4766e0fc4301 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 6 May 2025 11:58:04 +0200 Subject: [PATCH 1/6] chore(hive): Bump dependencies ahead of 25.7.0 --- CHANGELOG.md | 2 ++ hive/Dockerfile | 4 +++- hive/versions.py | 18 +++++++++--------- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cf347fea..39f07716a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,6 +44,7 @@ All notable changes to this project will be documented in this file. - yq: Bump products to use `4.45.2` ([#1090]). - cyclonedx-bom: Bump airflow and superset to use `6.0.0` ([#1090]). - vector: Bump to `0.46.1` ([#1098]). +- hive: Bump Hadoop to 3.4.1, and AWS bundle to 2.24.6 ([#1100]). ### Fixed @@ -90,6 +91,7 @@ All notable changes to this project will be documented in this file. [#1093]: https://github.com/stackabletech/docker-images/pull/1093 [#1097]: https://github.com/stackabletech/docker-images/pull/1097 [#1098]: https://github.com/stackabletech/docker-images/pull/1098 +[#1100]: https://github.com/stackabletech/docker-images/pull/1100 ## [25.3.0] - 2025-03-21 diff --git a/hive/Dockerfile b/hive/Dockerfile index 65c7209b5..fbc0c5415 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -71,7 +71,9 @@ ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/j # Add S3 Support for Hive (support for s3a://) cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ -cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ +# According to https://hadoop.apache.org/docs/stable/hadoop-aws/tools/hadoop-aws/aws_sdk_upgrade.html, the jar filename has changed from +# aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar to bundle-${AWS_JAVA_SDK_BUNDLE}.jar +cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ # Add Azure ABFS support (support for abfs://) cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/hadoop-azure-${HADOOP}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ diff --git a/hive/versions.py b/hive/versions.py index 0e00a7d9f..cb6364a75 100644 --- a/hive/versions.py +++ b/hive/versions.py @@ -5,9 +5,9 @@ # Hive 3 must be built with Java 8 but will run on Java 11 "java-base": "11", "java-devel": "8", - "hadoop": "3.3.6", - # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6 - "aws_java_sdk_bundle": "1.12.367", + "hadoop": "3.4.1", + # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.4.1 + "aws_java_sdk_bundle": "2.24.6", "azure_storage": "7.0.1", "azure_keyvault_core": "1.0.0", }, @@ -17,9 +17,9 @@ # Hive 4 must be built with Java 8 (according to GitHub README) but seems to run on Java 11 "java-base": "11", "java-devel": "8", - "hadoop": "3.3.6", - # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6 - "aws_java_sdk_bundle": "1.12.367", + "hadoop": "3.4.1", + # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.4.1 + "aws_java_sdk_bundle": "2.24.6", "azure_storage": "7.0.1", "azure_keyvault_core": "1.0.0", }, @@ -29,9 +29,9 @@ # Hive 4 must be built with Java 8 (according to GitHub README) but seems to run on Java 11 "java-base": "11", "java-devel": "8", - "hadoop": "3.3.6", - # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6 - "aws_java_sdk_bundle": "1.12.367", + "hadoop": "3.4.1", + # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.4.1 + "aws_java_sdk_bundle": "2.24.6", "azure_storage": "7.0.1", "azure_keyvault_core": "1.0.0", }, From ed51123feff6669eb6909e1b78f7dadacb80441a Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 6 May 2025 12:02:10 +0200 Subject: [PATCH 2/6] fix(java): Use vector 0.46.1 This was missed in https://github.com/stackabletech/docker-images/pull/1098 --- java-base/versions.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java-base/versions.py b/java-base/versions.py index 1c6f7706d..d4a1b095f 100644 --- a/java-base/versions.py +++ b/java-base/versions.py @@ -25,6 +25,6 @@ }, { "product": "24", - "vector": "0.43.1", + "vector": "0.46.1", }, ] From 53be67eca3a6b37f54b03604f4b523b3abc47723 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 28 May 2025 12:24:18 +0200 Subject: [PATCH 3/6] chore(hive): Patch postgres to resolve CVE-2024-1597 --- .../4.0.0/0005-Fix-CVE-2024-1597.patch | 47 +++++++++++++++++++ .../4.0.1/0005-Fix-CVE-2024-1597.patch | 47 +++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch create mode 100644 hive/stackable/patches/4.0.1/0005-Fix-CVE-2024-1597.patch diff --git a/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch b/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch new file mode 100644 index 000000000..8482057a7 --- /dev/null +++ b/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch @@ -0,0 +1,47 @@ +From 85fab788520b73e514e52e0753d36dafdf513e5b Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Thu, 15 May 2025 14:14:28 +0200 +Subject: Fix CVE-2024-1597 + +See https://github.com/stackabletech/vulnerabilities/issues/681 + +pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using +PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there +is no vulnerability. A placeholder for a numeric value must be immediately +preceded by a minus. There must be a second placeholder for a string value after +the first placeholder; both must be on the same line. By constructing a matching +string payload, the attacker can inject SQL to alter the query,bypassing the +protections that parameterized queries bring against SQL Injection attacks. +Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are +affected. +--- + pom.xml | 2 +- + standalone-metastore/pom.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pom.xml b/pom.xml +index a4dfc8d1e4..699228cba3 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -178,7 +178,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 2.3 + 1.8.5 +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index cd34884e3b..da84c8928e 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -72,7 +72,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 0.1.2 + diff --git a/hive/stackable/patches/4.0.1/0005-Fix-CVE-2024-1597.patch b/hive/stackable/patches/4.0.1/0005-Fix-CVE-2024-1597.patch new file mode 100644 index 000000000..09a201b46 --- /dev/null +++ b/hive/stackable/patches/4.0.1/0005-Fix-CVE-2024-1597.patch @@ -0,0 +1,47 @@ +From 134b9e22475b3ae59eabbc0bf5c188912dc2393b Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Thu, 15 May 2025 14:14:28 +0200 +Subject: Fix CVE-2024-1597 + +See https://github.com/stackabletech/vulnerabilities/issues/681 + +pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using +PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there +is no vulnerability. A placeholder for a numeric value must be immediately +preceded by a minus. There must be a second placeholder for a string value after +the first placeholder; both must be on the same line. By constructing a matching +string payload, the attacker can inject SQL to alter the query,bypassing the +protections that parameterized queries bring against SQL Injection attacks. +Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are +affected. +--- + pom.xml | 2 +- + standalone-metastore/pom.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pom.xml b/pom.xml +index 1898adeebe..89cf93ed37 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -179,7 +179,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 2.3 + 1.8.5 +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index 599ad33ed0..17dfe063e8 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -73,7 +73,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 0.1.2 + From 83afb6013955179856701e3419a1b5edcd2cd06f Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 28 May 2025 12:31:39 +0200 Subject: [PATCH 4/6] chore(nix): Bump image-utils for newer bake Note: Should have been done as part of https://github.com/stackabletech/docker-images/pull/1118 --- nix/sources.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nix/sources.json b/nix/sources.json index 43572c80a..cddd07537 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -5,10 +5,10 @@ "homepage": null, "owner": "stackabletech", "repo": "image-tools", - "rev": "3795a8727a724a59edf17a3f4061b734302ea7cd", - "sha256": "1x0n8cqsri7612asamk8ncfhh0xrk3khjjnfd80mzdhl9zk081nn", + "rev": "bdaf1f13d53231ed903efa0a50a595d9d2c6d06e", + "sha256": "0d0vqrhscra3p1mfqdbc0d5hkvrfcw8skav8snfp74p2mqdgsyz1", "type": "tarball", - "url": "https://github.com/stackabletech/image-tools/archive/3795a8727a724a59edf17a3f4061b734302ea7cd.tar.gz", + "url": "https://github.com/stackabletech/image-tools/archive/bdaf1f13d53231ed903efa0a50a595d9d2c6d06e.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { From 80c1c22ce661cb854647ae2b584519ae6857ea58 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 28 May 2025 12:44:31 +0200 Subject: [PATCH 5/6] chore(nix): Bump nixpkgs and install nodejs_20 to keep pre-commit happy I was getting the following error: ``` An unexpected error has occurred: CalledProcessError: command: ('/nix/store/15jzs4a11nqp4m1xvnw0rz9395anzjsm-nodejs-18.20.8/bin/node', '/run/current-system/sw/bin/npm', 'install', '--include=dev', '--include=prod', '--ignore-prepublish', '--no-progress', '--no-save') return code: 1 stdout: (none) stderr: npm error code EBADENGINE npm error engine Unsupported engine npm error engine Not compatible with your version of node/npm: markdownlint-cli@0.45.0 npm error notsup Not compatible with your version of node/npm: markdownlint-cli@0.45.0 npm error notsup Required: {"node":">=20"} npm error notsup Actual: {"npm":"10.8.2","node":"v18.20.8"} npm error A complete log of this run can be found in: /home/nick/.npm/_logs/2025-05-28T10_40_07_463Z-debug-0.log Check the log at /home/nick/.cache/pre-commit/pre-commit.log ``` --- nix/sources.json | 6 +++--- shell.nix | 8 +++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/nix/sources.json b/nix/sources.json index cddd07537..173ad8a90 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -17,10 +17,10 @@ "homepage": null, "owner": "NixOS", "repo": "nixpkgs", - "rev": "6c43a3495a11e261e5f41e5d7eda2d71dae1b2fe", - "sha256": "16f329z831bq7l3wn1dfvbkh95l2gcggdwn6rk3cisdmv2aa3189", + "rev": "62b852f6c6742134ade1abdd2a21685fd617a291", + "sha256": "04c6dkshw07bm2isv7rvl6xgr4hn7hqznr0v2kww6zjfz4awk4a7", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/6c43a3495a11e261e5f41e5d7eda2d71dae1b2fe.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/62b852f6c6742134ade1abdd2a21685fd617a291.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/shell.nix b/shell.nix index 2ece43658..687e0b3ca 100644 --- a/shell.nix +++ b/shell.nix @@ -1,6 +1,7 @@ -{ sources ? import ./nix/sources.nix -, nixpkgs ? sources.nixpkgs -, pkgs ? import nixpkgs { } +{ + sources ? import ./nix/sources.nix, + nixpkgs ? sources.nixpkgs, + pkgs ? import nixpkgs { }, }: let @@ -9,6 +10,7 @@ in pkgs.mkShell { packages = [ bake + pkgs.nodejs_20 ]; buildInputs = [ From 89eb1ef490403c522d48ebf8cd21e9d8b24a5990 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 28 May 2025 12:50:43 +0200 Subject: [PATCH 6/6] chore(hive): Revert hadoop and aws bumps, update changelog --- CHANGELOG.md | 3 ++- hive/Dockerfile | 6 ++++-- hive/versions.py | 18 +++++++++--------- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7dcc9a84b..7be2c8d48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,7 +66,6 @@ All notable changes to this project will be documented in this file. - nifi: update patch allowing to bypass host header validation starting with NiFi 2.4.0 ([#1125]). - BREAKING: kcat: Stop building kcat image ([#1124]). - containerdebug updated to 0.2.0 ([#1128]) -- hive: Bump Hadoop to 3.4.1, and AWS bundle to 2.24.6 ([#1100]). ### Fixed @@ -86,6 +85,8 @@ All notable changes to this project will be documented in this file. - zookeeper: reduce docker image size by removing the recursive chown/chmods in the final image ([#1043]). - Fixed two hardcoded username references ([#1052]). - ubi9-rust-builder: Use pinned `rustup` version ([#1121]). +- hive: Patch for postgres CVE-2024-1597 ([#1100]). +- bump image-tools (for `bake`) and nixpkgs (for `nodejs_20`, used by pre-commit) ([#1100]). ### Removed diff --git a/hive/Dockerfile b/hive/Dockerfile index c43d62498..c77ec4ef8 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -75,9 +75,11 @@ ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/j # Add S3 Support for Hive (support for s3a://) cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ + # According to https://hadoop.apache.org/docs/stable/hadoop-aws/tools/hadoop-aws/aws_sdk_upgrade.html, the jar filename has changed from -# aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar to bundle-${AWS_JAVA_SDK_BUNDLE}.jar -cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ +# aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar to bundle-${AWS_JAVA_SDK_BUNDLE}.jar. In future, you might need to do: +# cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ +cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ # Add Azure ABFS support (support for abfs://) cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/hadoop-azure-${HADOOP}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ diff --git a/hive/versions.py b/hive/versions.py index cb6364a75..0e00a7d9f 100644 --- a/hive/versions.py +++ b/hive/versions.py @@ -5,9 +5,9 @@ # Hive 3 must be built with Java 8 but will run on Java 11 "java-base": "11", "java-devel": "8", - "hadoop": "3.4.1", - # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.4.1 - "aws_java_sdk_bundle": "2.24.6", + "hadoop": "3.3.6", + # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6 + "aws_java_sdk_bundle": "1.12.367", "azure_storage": "7.0.1", "azure_keyvault_core": "1.0.0", }, @@ -17,9 +17,9 @@ # Hive 4 must be built with Java 8 (according to GitHub README) but seems to run on Java 11 "java-base": "11", "java-devel": "8", - "hadoop": "3.4.1", - # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.4.1 - "aws_java_sdk_bundle": "2.24.6", + "hadoop": "3.3.6", + # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6 + "aws_java_sdk_bundle": "1.12.367", "azure_storage": "7.0.1", "azure_keyvault_core": "1.0.0", }, @@ -29,9 +29,9 @@ # Hive 4 must be built with Java 8 (according to GitHub README) but seems to run on Java 11 "java-base": "11", "java-devel": "8", - "hadoop": "3.4.1", - # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.4.1 - "aws_java_sdk_bundle": "2.24.6", + "hadoop": "3.3.6", + # Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6 + "aws_java_sdk_bundle": "1.12.367", "azure_storage": "7.0.1", "azure_keyvault_core": "1.0.0", },