Upstream has issued an advisory today (December 16): http://openwall.com/lists/oss-security/2016/12/16/6 The issue is fixed in 2.6.4. Mageia 5 is also affected.
CC: (none) => geiger.david68210, thierry.vignaudWhiteboard: (none) => MGA5TOO
Upstream has issued additional advisories on April 25: http://openwall.com/lists/oss-security/2017/04/26/2 http://openwall.com/lists/oss-security/2017/04/26/1 The issues are fixed in 2.7.0.
Summary: hadoop new security issue CVE-2016-5001 => hadoop new security issue CVE-2016-5001 and CVE-2017-316[12]
Status comment: (none) => Fixed upstream in 2.7.0
Note that this package also doesn't build: http://pkgsubmit.mageia.org/autobuild/cauldron/x86_64/core/2017-05-31/hadoop-2.4.1-17.mga6.src.rpm/build.0.20170601200202.log Please drop it if possible.
(In reply to David Walser from comment #2) > Please drop it if possible. Had a quick look at the reverse deps, dropping hadoop would mean also dropping: - avro - hibernate-hql - hibernate-search
Thanks for checking. What about recursively n. Could those three be dropped, or is this part of a house of cards? These dependencies are crazy. You'd think this would be a leaf package.
I don't know how we're supposed to be able to maintain this stuff when even Fedora can't. I wonder if this could be synced with F26, or if we wouldn't have the right deps for that.
I checked recursively and found only those three, but I think it's a limitation of the script. With urpmf looking for some mvn() BRs I found: $ urpmf --synthesis /tmp/synthesis.hdlist.cz --requires :.*hadoop avro:mvn(org.apache.hadoop:hadoop-client) $ urpmf --synthesis /tmp/synthesis.hdlist.cz --requires :.*avro hadoop:avro hadoop:avro-maven-plugin hibernate-search:mvn(org.apache.avro:avro) wildfly:mvn(org.apache.avro:avro) wildfly:mvn(org.hibernate:hibernate-search-serialization-avro) $ urpmf --synthesis /tmp/synthesis.hdlist.cz --requires :.*hibernate-hql $ urpmf --synthesis /tmp/synthesis.hdlist.cz --requires :.*hibernate-search annox:mvn(org.hibernate:hibernate-search-engine) hibernate-hql:mvn(org.hibernate:hibernate-search-engine)[>= 5.3.0] querydsl3:mvn(org.hibernate:hibernate-search-orm) querydsl:mvn(org.hibernate:hibernate-search-orm) wildfly:mvn(org.hibernate:hibernate-search-backend-jgroups)[>= 5.5.4] wildfly:mvn(org.hibernate:hibernate-search-backend-jms) wildfly:mvn(org.hibernate:hibernate-search-engine) wildfly:mvn(org.hibernate:hibernate-search-orm) wildfly:mvn(org.hibernate:hibernate-search-serialization-avro) So looks like hibernate-hql is a leaf package that could be dropped, but hibernate-search is needed for wildfly, which is needed for jetty and was the motivation for the whole Java stack upgrade Nicolas worked on recently.
Ouch. Ok, thanks. What a mess. With some work, I'm sure some of these dependencies could be undone, but we wouldn't be able to maintain it unless Fedora followed suit. I see Nicolas has already begun an attempt to resync it with F26. Not sure yet if it will work.
update to hadoop 2.7.3 in progress
Fixed in cauldron
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
We can't fix this for Mageia 5.
Status: NEW => RESOLVEDResolution: (none) => OLD