packages/hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!22 fix CVE-2020-9492

Browse Source 
From: @wangxiao65
Reviewed-by: @small_leek,@zhengzhenyu
Signed-off-by: @zhengzhenyu
This commit is contained in:
openeuler-ci-bot 2021-05-17 14:59:10 +08:00 committed by Gitee
commit d968f2fd7e
2 changed files with 58 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
CVE-2020-9492.patch Normal file
View File

@ -0,0 +1,53 @@
From c5ed4ec13dcc2e3bf6e7033ebfe9f5c9508e9236 Mon Sep 17 00:00:00 2001
From: Eric Yang <eyang@apache.org>
Date: Mon, 15 Jun 2020 10:55:26 +0900
Subject: [PATCH] SPNEGO TLS verification
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
---
.../org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
index b316bf1..b34ce82 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/WebHdfsFileSystem.java
@@ -144,6 +144,7 @@ public class WebHdfsFileSystem extends FileSystem
+ "/v" + VERSION;
public static final String EZ_HEADER = "X-Hadoop-Accept-EZ";
public static final String FEFINFO_HEADER = "X-Hadoop-feInfo";
+ public static final String DFS_HTTP_POLICY_KEY = "dfs.http.policy";
/**
* Default connection factory may be overridden in tests to use smaller
@@ -172,6 +173,7 @@ public class WebHdfsFileSystem extends FileSystem
private DFSOpsCountStatistics storageStatistics;
private KeyProvider testProvider;
+ private boolean isTLSKrb;
/**
* Return the protocol scheme for the FileSystem.
@@ -233,6 +235,7 @@ public class WebHdfsFileSystem extends FileSystem
.newDefaultURLConnectionFactory(connectTimeout, readTimeout, conf);
}
+ this.isTLSKrb = "HTTPS_ONLY".equals(conf.get(DFS_HTTP_POLICY_KEY));
ugi = UserGroupInformation.getCurrentUser();
this.uri = URI.create(uri.getScheme() + "://" + uri.getAuthority());
@@ -683,6 +686,11 @@ public class WebHdfsFileSystem extends FileSystem
//redirect hostname and port
redirectHost = null;
+ if (url.getProtocol().equals("http") &&
+ UserGroupInformation.isSecurityEnabled() &&
+ isTLSKrb) {
+ throw new IOException("Access denied: dfs.http.policy is HTTPS_ONLY.");
+ }
// resolve redirects for a DN operation unless already resolved
if (op.getRedirect() && !redirected) {
--
2.23.0

6
hadoop.spec
View File

@ -11,7 +11,7 @@
%define _binaries_in_noarch_packages_terminate_build 0
Name: hadoop
Version: 3.2.1
Release: 1
Release: 2
Summary: A software platform for processing vast amounts of data
# The BSD license file is missing
# https://issues.apache.org/jira/browse/HADOOP-9849
@ -31,6 +31,7 @@ Source10: %{name}-core-site.xml
Source11: %{name}-hdfs-site.xml
Source12: %{name}-mapred-site.xml
Source13: %{name}-yarn-site.xml
Patch0: CVE-2020-9492.patch
Patch1: 0001-sys_errlist-undeclared.patch
@ -1110,5 +1111,8 @@ fi
%config(noreplace) %{_sysconfdir}/%{name}/container-executor.cfg
%changelog
* Fri May 14 2021 wangyue <wangyue92@huawei.com> - 3.2.1-2
- Fix CVE-2020-9492
* Thu May 13 2021 Ge Wang <wangge20@huawei.com> - 3.2.1-1
- Init package