| Summary: | hadoop new security issue CVE-2016-5001 and CVE-2017-316[12] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Nicolas Lécureuil <mageia> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, thierry.vignaud |
| Version: | 5 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | hadoop-2.4.1-17.mga6.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 2.7.0 | ||
|
Description
David Walser
2016-12-17 01:39:16 CET
David Walser
2016-12-17 01:39:56 CET
CC:
(none) =>
geiger.david68210, thierry.vignaud Upstream has issued additional advisories on April 25: http://openwall.com/lists/oss-security/2017/04/26/2 http://openwall.com/lists/oss-security/2017/04/26/1 The issues are fixed in 2.7.0. Summary:
hadoop new security issue CVE-2016-5001 =>
hadoop new security issue CVE-2016-5001 and CVE-2017-316[12]
David Walser
2017-06-05 01:42:12 CEST
Status comment:
(none) =>
Fixed upstream in 2.7.0 Note that this package also doesn't build: http://pkgsubmit.mageia.org/autobuild/cauldron/x86_64/core/2017-05-31/hadoop-2.4.1-17.mga6.src.rpm/build.0.20170601200202.log Please drop it if possible. (In reply to David Walser from comment #2) > Please drop it if possible. Had a quick look at the reverse deps, dropping hadoop would mean also dropping: - avro - hibernate-hql - hibernate-search Thanks for checking. What about recursively n. Could those three be dropped, or is this part of a house of cards? These dependencies are crazy. You'd think this would be a leaf package. I don't know how we're supposed to be able to maintain this stuff when even Fedora can't. I wonder if this could be synced with F26, or if we wouldn't have the right deps for that. I checked recursively and found only those three, but I think it's a limitation of the script. With urpmf looking for some mvn() BRs I found: $ urpmf --synthesis /tmp/synthesis.hdlist.cz --requires :.*hadoop avro:mvn(org.apache.hadoop:hadoop-client) $ urpmf --synthesis /tmp/synthesis.hdlist.cz --requires :.*avro hadoop:avro hadoop:avro-maven-plugin hibernate-search:mvn(org.apache.avro:avro) wildfly:mvn(org.apache.avro:avro) wildfly:mvn(org.hibernate:hibernate-search-serialization-avro) $ urpmf --synthesis /tmp/synthesis.hdlist.cz --requires :.*hibernate-hql $ urpmf --synthesis /tmp/synthesis.hdlist.cz --requires :.*hibernate-search annox:mvn(org.hibernate:hibernate-search-engine) hibernate-hql:mvn(org.hibernate:hibernate-search-engine)[>= 5.3.0] querydsl3:mvn(org.hibernate:hibernate-search-orm) querydsl:mvn(org.hibernate:hibernate-search-orm) wildfly:mvn(org.hibernate:hibernate-search-backend-jgroups)[>= 5.5.4] wildfly:mvn(org.hibernate:hibernate-search-backend-jms) wildfly:mvn(org.hibernate:hibernate-search-engine) wildfly:mvn(org.hibernate:hibernate-search-orm) wildfly:mvn(org.hibernate:hibernate-search-serialization-avro) So looks like hibernate-hql is a leaf package that could be dropped, but hibernate-search is needed for wildfly, which is needed for jetty and was the motivation for the whole Java stack upgrade Nicolas worked on recently. Ouch. Ok, thanks. What a mess. With some work, I'm sure some of these dependencies could be undone, but we wouldn't be able to maintain it unless Fedora followed suit. I see Nicolas has already begun an attempt to resync it with F26. Not sure yet if it will work. update to hadoop 2.7.3 in progress Fixed in cauldron Whiteboard:
MGA5TOO =>
(none) We can't fix this for Mageia 5. Status:
NEW =>
RESOLVED |