Skip to content

HIVE-25054: (2.3) Upgrade jodd-core dependency to get rid of CVE-2018-21234 #4923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pan3793 wants to merge 2 commits into from
Closed

HIVE-25054: (2.3) Upgrade jodd-core dependency to get rid of CVE-2018-21234 #4923

pan3793 wants to merge 2 commits into from

Conversation

@pan3793
Copy link
Member

@pan3793 pan3793 commented Dec 7, 2023
edited
Loading

What changes were proposed in this pull request?

Backport HIVE-25054 to branch-2.3, to address CVE-2018-21234.

Why are the changes needed?

jodd CVE is listed in https://issues.apache.org/jira/browse/SPARK-44757 in first place, with score 9.8.

Although I prefer to get rid of such dependency by #4888, but it is objected by the Hive community (please let me know if we can do it in branch-2.3)

Does this PR introduce any user-facing change?

No. (but the jodd APIs used by Hive are changed, it's a potential breaking change of the downstream project which consumes Hive and jodd API directly)

Is the change a dependency upgrade?

Yes, the upgraded jar has zero-deps, but itself name changed

How was this patch tested?

Pass GA.

@pan3793
Copy link
Member Author

pan3793 commented Dec 7, 2023

cc @sunchao @LuciferYang @wangyum

@github-actions
Copy link

github-actions bot commented Feb 7, 2024

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Feel free to reach out on the dev@hive.apache.org list if the patch is in need of reviews.

@github-actions github-actions bot added the stale label Feb 7, 2024
@github-actions github-actions bot closed this Feb 14, 2024
@pan3793 pan3793 mentioned this pull request Feb 20, 2024
Closed
@pan3793
Copy link
Member Author

pan3793 commented Feb 20, 2024

Although I prefer to get rid of such dependency by #4888, but it is objected by the Hive community (please let me know if we can do it in branch-2.3)

the reason for my preference of copying rather than upgrading jodd is, that new jodd changed the calculation to use Java 8 Time API, I'm not sure if this will bring behavior change or not.

@sunchao sunchao reopened this Feb 29, 2024
@github-actions github-actions bot removed the stale label Mar 1, 2024
achennagiri and others added 2 commits March 5, 2024 01:54
@achennagiri @pan3793
HIVE-25054: Upgrade jodd-core dependency to get rid of CVE-2018-21234
c7b762a 
… (Abhay Chennagiri, reviewed by Jesus Camacho Rodriguez)

Closes apache#2217
@pan3793
nit
3714039
@pan3793 pan3793 mentioned this pull request Mar 4, 2024
Closed
6 tasks
@pan3793 pan3793 mentioned this pull request Mar 21, 2024
Merged
@pan3793
Copy link
Member Author

pan3793 commented Mar 26, 2024

Close and in favor #5151

@pan3793 pan3793 closed this Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sunchao sunchao sunchao approved these changes

+1 more reviewer

@LuciferYang LuciferYang LuciferYang approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

tests failed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pan3793 @sunchao @LuciferYang @asf-ci-hive @achennagiri