[SPARK-29252][BUILD] Upgrade zookeeper to 3.4.14 and fix vulnerabilities.#25933
[SPARK-29252][BUILD] Upgrade zookeeper to 3.4.14 and fix vulnerabilities.#25933beliefer wants to merge 5 commits intoapache:masterfrom beliefer:upgrade-zookeeper
Conversation
|
Test build #111383 has finished for PR 25933 at commit
|
| <protobuf.version>2.5.0</protobuf.version> | ||
| <yarn.version>${hadoop.version}</yarn.version> | ||
| <zookeeper.version>3.4.6</zookeeper.version> | ||
| <zookeeper.version>3.4.14</zookeeper.version> |
There was a problem hiding this comment.
Is it safe to upgrade zookeeper to 3.4.14 for Hadoop 2.7?
There was a problem hiding this comment.
Yes that's a good question @beliefer - what does 2.7 use?
I suspect we can update it. In that case we don't need to special-case the ZK version below anymore.
There was a problem hiding this comment.
Hadoop 2.7 uses zookeeper:3.4.6 by default.
It's OK. I reference https://www.cnblogs.com/ywjfx/p/11344345.html.
There was a problem hiding this comment.
Could you try to upgrade zookeeper to 3.4.14 for Hadoop 2.7.4, and check if Hadoop test can pass?
|
Retest this please. |
|
Test build #111396 has finished for PR 25933 at commit
|
|
Retest this please. |
|
Test build #111400 has finished for PR 25933 at commit
|
|
Retest this please. |
|
Test build #111418 has finished for PR 25933 at commit
|
| <protobuf.version>2.5.0</protobuf.version> | ||
| <yarn.version>${hadoop.version}</yarn.version> | ||
| <zookeeper.version>3.4.6</zookeeper.version> | ||
| <zookeeper.version>3.4.14</zookeeper.version> |
There was a problem hiding this comment.
Yes that's a good question @beliefer - what does 2.7 use?
I suspect we can update it. In that case we don't need to special-case the ZK version below anymore.
| arrow-format-0.12.0.jar | ||
| arrow-memory-0.12.0.jar | ||
| arrow-vector-0.12.0.jar | ||
| audience-annotations-0.5.0.jar |
There was a problem hiding this comment.
This is an ALv2 dependency from Yetus, it seems. It needs a line in LICENSE-binary with other ASF dependencies. We'd also have to check if it has a NOTICE file bundled to append to NOTICE-binary
There was a problem hiding this comment.
@srowen Thanks very much! However, I have not fully understood what you mean. Do we need NOTICE file?
There was a problem hiding this comment.
I checked the audience-annotations-0.5.0.jar and find the NOTICE file.
The content of the NOTICE file show below:
Apache Yetus - Audience Annotations
Copyright 2015-2017 The Apache Software Foundation
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
There was a problem hiding this comment.
That's fine, just append this to the bottom of NOTICE-binary
There was a problem hiding this comment.
OK. I will append the NOTICE-binary.
dev/deps/spark-deps-hadoop-3.2
Outdated
| spire-platform_2.12-0.17.0-M1.jar | ||
| spire-util_2.12-0.17.0-M1.jar | ||
| spire_2.12-0.17.0-M1.jar | ||
| spotbugs-annotations-3.1.9.jar |
There was a problem hiding this comment.
Uh oh, this is LGPL. We can't include this. https://spotbugs.github.io/
It looks like ZK specifically excludes it from their binary release: apache/zookeeper@372e713
Therefore, we probably just need to write an exclusion rule to not pull in this dependency, as it sounds like it's not strictly needed at runtime (just annotations)
There was a problem hiding this comment.
@srowen Thank you for your very detailed investigation. I learned more. I will try to exclude it.
|
Test build #111550 has finished for PR 25933 at commit
|
|
Test build #111559 has finished for PR 25933 at commit
|
srowen
left a comment
srowen
left a comment
There was a problem hiding this comment.
Looks OK to me. We could probably exclude the other annotations too without issue, but it's OK to leave them as is.
pom.xml
Outdated
| <hadoop.version>3.2.0</hadoop.version> | ||
| <curator.version>2.13.0</curator.version> | ||
| <zookeeper.version>3.4.13</zookeeper.version> | ||
| <zookeeper.version>3.4.14</zookeeper.version> |
There was a problem hiding this comment.
I think you can just remove this if the profile does not change the value.
There was a problem hiding this comment.
Thanks for your remind. I will remove this line.
|
Test build #111586 has finished for PR 25933 at commit
|
|
@srowen Thanks for your help! @dongjoon-hyun @wangyum Thanks for all your review! |
5 participants
What changes were proposed in this pull request?
The current code uses org.apache.zookeeper:zookeeper:jar:3.4.6 and it will cause a security vulnerabilities. We could get some security info from https://www.tenable.com/cve/CVE-2019-0201
This reference remind to upgrate the version of
zookeeperto 3.4.14 or later.Why are the changes needed?
This PR fix the security vulnerabilities.
Does this PR introduce any user-facing change?
No.
How was this patch tested?
Exists UT.