From 739e7b1b39b5a3321902fe24f3c4425eed419e8c Mon Sep 17 00:00:00 2001 From: dervoeti Date: Thu, 7 Nov 2024 12:45:33 +0100 Subject: [PATCH 1/2] wip --- .../3.3.6/010-exclude-snappy-from-avro.patch | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 hadoop/stackable/patches/3.3.6/010-exclude-snappy-from-avro.patch diff --git a/hadoop/stackable/patches/3.3.6/010-exclude-snappy-from-avro.patch b/hadoop/stackable/patches/3.3.6/010-exclude-snappy-from-avro.patch new file mode 100644 index 000000000..cf0f6b2de --- /dev/null +++ b/hadoop/stackable/patches/3.3.6/010-exclude-snappy-from-avro.patch @@ -0,0 +1,64 @@ +diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml +index 9c7657b53af..a5e945deeae 100644 +--- a/hadoop-common-project/hadoop-common/pom.xml ++++ b/hadoop-common-project/hadoop-common/pom.xml +@@ -239,6 +239,12 @@ + org.apache.avro + avro + compile ++ ++ ++ org.xerial.snappy ++ snappy-java ++ ++ + + + org.apache.ant +diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/pom.xml b/hadoop-mapreduce-project/hadoop-mapreduce-client/pom.xml +index a5bffce09ab..97e7b9e7d88 100644 +--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/pom.xml ++++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/pom.xml +@@ -68,6 +68,10 @@ + paranamer-ant + com.thoughtworks.paranamer + ++ ++ org.xerial.snappy ++ snappy-java ++ + + + +diff --git a/hadoop-mapreduce-project/pom.xml b/hadoop-mapreduce-project/pom.xml +index 45ea915b62b..eae48021994 100644 +--- a/hadoop-mapreduce-project/pom.xml ++++ b/hadoop-mapreduce-project/pom.xml +@@ -74,6 +74,10 @@ + paranamer-ant + com.thoughtworks.paranamer + ++ ++ org.xerial.snappy ++ snappy-java ++ + + + +diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml +index da39c1e0ad0..b78943d1837 100644 +--- a/hadoop-project/pom.xml ++++ b/hadoop-project/pom.xml +@@ -1311,6 +1311,12 @@ + org.apache.avro + avro + ${avro.version} ++ ++ ++ org.xerial.snappy ++ snappy-java ++ ++ + + + net.sf.kosmosfs From bd02d784e9038f1ccc87d5d6aff05cb1d601473e Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Thu, 7 Nov 2024 16:37:22 +0100 Subject: [PATCH 2/2] update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c8ed5a83..112ba931f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -63,6 +63,7 @@ All notable changes to this project will be documented in this file. - hbase: link to phoenix server jar ([#811]). - trino: Correctly report Trino version ([#881]). +- hadoop: Fix CVE-2023-34455 by excluding a trasitive dependency to an old java-snappy lib ([#923]) [#783]: https://github.com/stackabletech/docker-images/pull/783 [#797]: https://github.com/stackabletech/docker-images/pull/797 @@ -106,6 +107,7 @@ All notable changes to this project will be documented in this file. [#914]: https://github.com/stackabletech/docker-images/pull/914 [#917]: https://github.com/stackabletech/docker-images/pull/917 [#920]: https://github.com/stackabletech/docker-images/pull/920 +[#923]: https://github.com/stackabletech/docker-images/pull/923 ## [24.7.0] - 2024-07-24