HADOOP-18484. Upgrade hsqldb to v2.7.1 to mitigate CVE-2022-41853#4991
Conversation
|
@pjfanning - |
|
@ashutoshcipher looks like you are right - Github seems to have made this issue public before hsqldb have managed to publish the release to Maven Central. Maybe, if we wait for a few days and check https://repo1.maven.org/maven2/org/hsqldb/hsqldb/ again. |
|
Yeah, I will keep the PR open and keep a check on mvn. |
|
@ashutoshcipher @pjfanning we may not be able to upgrade to 2.7.0, I tried to upgrade to 2.6.0 some time ago, but found that 2.6.0 and above require JDK 11, do we have a solution for this? |
|
Thanks @slfan1989. I can see here - http://hsqldb.org./ for Version 2.7.0 that |
|
It seems that you can download jdk8 friendly jars from I'm not a maven expert but I think you might be able to specify a 'classifier' - in this case, possibly 'jdk8' in order to have maven download hsqldb-2.7.0-jdk8.jar. Presumably v2.7.1.jar will be similar (whenever it gets published). |
|
💔 -1 overall
This message was automatically generated. |
|
Looks like the hsqldb do not want to do a v2.7.1 release. They want users to set system properties. https://sourceforge.net/p/hsqldb/discussion/73673/thread/0df9e4f45a/?limit=25#2489 |
|
@pjfanning Thank you very much for your feedback. From a personal point of view, we should still wait for v2.7.1. The way of setting properties does not seem to be very good. If we hard-code it, we may need to remove it later. |
Yes, it's quite messy all in all. I'm not sure why they won't do a release. |
|
Thanks @pjfanning @slfan1989 . I think we can wait for a while for 2.7.1 release and take a call if we want to make changes in code or not |
let's wait more time. |
|
@ashutoshcipher @pjfanning Version 2.7.1 is now available. May I ask you to update the PR?
Yes, |
Thanks @adoroszlai. Triggering jenkins once again for cleaner build |
adoroszlai
left a comment
There was a problem hiding this comment.
Thanks @ashutoshcipher for updating the patch.
We'll need the following additional change to use the jdk8 artifacts:
<dependency>
<groupId>org.hsqldb</groupId>
<artifactId>hsqldb</artifactId>
+ <classifier>jdk8</classifier>
in:
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/pom.xml
hadoop-mapreduce-project/hadoop-mapreduce-examples/pom.xml
hadoop-mapreduce-project/pom.xml
hadoop-project/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/pom.xml
to avoid:
09:24:56,115 [ERROR] bad class file: ~/.m2/repository/org/hsqldb/hsqldb/2.7.1/hsqldb-2.7.1.jar(org/hsqldb/server/Server.class)
09:24:56,116 [ERROR] class file has wrong version 55.0, should be 52.0
when building with Java 8.
|
Thanks @adoroszlai. I am resolving and updating exactly the same in my local :) |
a1d38ef to
4760a4d
Compare
adoroszlai
left a comment
There was a problem hiding this comment.
Thanks @ashutoshcipher for the patch.
Thank you so much @adoroszlai for reviewing and your comments. |
|
💔 -1 overall
This message was automatically generated. |
|
💔 -1 overall
This message was automatically generated. |
|
JIRA for ref - https://issues.apache.org/jira/browse/HDFS-16801 cc: @adoroszlai |
|
💔 -1 overall
This message was automatically generated. |
|
The only failing Yetus check is |
Thanks |
…22-41853 (apache#4991) (cherry-picked from e62ba16) Change-Id: I439ce1c12dfd47637cf74fb472137277e62c3140
OSV-16076: HADOOP-18484. Upgrade hsqldb to v2.7.1 to mitigate CVE-2022-41853 (apache#4991)
Description of PR
Upgrade hsqldb to v2.7.1 to mitigate CVE-2022-41853
For code changes:
LICENSE,LICENSE-binary,NOTICE-binaryfiles?