diff --git a/CHANGELOG.md b/CHANGELOG.md index 952c94a74..5d971cf65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -86,6 +86,8 @@ All notable changes to this project will be documented in this file. - zookeeper: reduce docker image size by removing the recursive chown/chmods in the final image ([#1043]). - Fixed two hardcoded username references ([#1052]). - ubi9-rust-builder: Use pinned `rustup` version ([#1121]). +- hive: Patch for postgres CVE-2024-1597 ([#1100]). +- bump image-tools (for `bake`) and nixpkgs (for `nodejs_20`, used by pre-commit) ([#1100]). ### Removed @@ -131,6 +133,7 @@ All notable changes to this project will be documented in this file. [#1097]: https://github.com/stackabletech/docker-images/pull/1097 [#1098]: https://github.com/stackabletech/docker-images/pull/1098 [#1099]: https://github.com/stackabletech/docker-images/pull/1099 +[#1100]: https://github.com/stackabletech/docker-images/pull/1100 [#1101]: https://github.com/stackabletech/docker-images/pull/1101 [#1102]: https://github.com/stackabletech/docker-images/pull/1102 [#1103]: https://github.com/stackabletech/docker-images/pull/1103 diff --git a/hive/Dockerfile b/hive/Dockerfile index 9c907d628..c77ec4ef8 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -75,6 +75,10 @@ ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/j # Add S3 Support for Hive (support for s3a://) cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ + +# According to https://hadoop.apache.org/docs/stable/hadoop-aws/tools/hadoop-aws/aws_sdk_upgrade.html, the jar filename has changed from +# aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar to bundle-${AWS_JAVA_SDK_BUNDLE}.jar. In future, you might need to do: +# cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ cp /stackable/hadoop-${HADOOP}/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/apache-hive-metastore-${PRODUCT}-bin/lib/ # Add Azure ABFS support (support for abfs://) diff --git a/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch b/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch new file mode 100644 index 000000000..8482057a7 --- /dev/null +++ b/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch @@ -0,0 +1,47 @@ +From 85fab788520b73e514e52e0753d36dafdf513e5b Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Thu, 15 May 2025 14:14:28 +0200 +Subject: Fix CVE-2024-1597 + +See https://github.com/stackabletech/vulnerabilities/issues/681 + +pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using +PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there +is no vulnerability. A placeholder for a numeric value must be immediately +preceded by a minus. There must be a second placeholder for a string value after +the first placeholder; both must be on the same line. By constructing a matching +string payload, the attacker can inject SQL to alter the query,bypassing the +protections that parameterized queries bring against SQL Injection attacks. +Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are +affected. +--- + pom.xml | 2 +- + standalone-metastore/pom.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pom.xml b/pom.xml +index a4dfc8d1e4..699228cba3 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -178,7 +178,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 2.3 + 1.8.5 +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index cd34884e3b..da84c8928e 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -72,7 +72,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 0.1.2 + diff --git a/hive/stackable/patches/4.0.1/0005-Fix-CVE-2024-1597.patch b/hive/stackable/patches/4.0.1/0005-Fix-CVE-2024-1597.patch new file mode 100644 index 000000000..09a201b46 --- /dev/null +++ b/hive/stackable/patches/4.0.1/0005-Fix-CVE-2024-1597.patch @@ -0,0 +1,47 @@ +From 134b9e22475b3ae59eabbc0bf5c188912dc2393b Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Thu, 15 May 2025 14:14:28 +0200 +Subject: Fix CVE-2024-1597 + +See https://github.com/stackabletech/vulnerabilities/issues/681 + +pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using +PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there +is no vulnerability. A placeholder for a numeric value must be immediately +preceded by a minus. There must be a second placeholder for a string value after +the first placeholder; both must be on the same line. By constructing a matching +string payload, the attacker can inject SQL to alter the query,bypassing the +protections that parameterized queries bring against SQL Injection attacks. +Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are +affected. +--- + pom.xml | 2 +- + standalone-metastore/pom.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pom.xml b/pom.xml +index 1898adeebe..89cf93ed37 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -179,7 +179,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 2.3 + 1.8.5 +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index 599ad33ed0..17dfe063e8 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -73,7 +73,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 0.1.2 + diff --git a/nix/sources.json b/nix/sources.json index 43572c80a..173ad8a90 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -5,10 +5,10 @@ "homepage": null, "owner": "stackabletech", "repo": "image-tools", - "rev": "3795a8727a724a59edf17a3f4061b734302ea7cd", - "sha256": "1x0n8cqsri7612asamk8ncfhh0xrk3khjjnfd80mzdhl9zk081nn", + "rev": "bdaf1f13d53231ed903efa0a50a595d9d2c6d06e", + "sha256": "0d0vqrhscra3p1mfqdbc0d5hkvrfcw8skav8snfp74p2mqdgsyz1", "type": "tarball", - "url": "https://github.com/stackabletech/image-tools/archive/3795a8727a724a59edf17a3f4061b734302ea7cd.tar.gz", + "url": "https://github.com/stackabletech/image-tools/archive/bdaf1f13d53231ed903efa0a50a595d9d2c6d06e.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { @@ -17,10 +17,10 @@ "homepage": null, "owner": "NixOS", "repo": "nixpkgs", - "rev": "6c43a3495a11e261e5f41e5d7eda2d71dae1b2fe", - "sha256": "16f329z831bq7l3wn1dfvbkh95l2gcggdwn6rk3cisdmv2aa3189", + "rev": "62b852f6c6742134ade1abdd2a21685fd617a291", + "sha256": "04c6dkshw07bm2isv7rvl6xgr4hn7hqznr0v2kww6zjfz4awk4a7", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/6c43a3495a11e261e5f41e5d7eda2d71dae1b2fe.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/62b852f6c6742134ade1abdd2a21685fd617a291.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/shell.nix b/shell.nix index 2ece43658..687e0b3ca 100644 --- a/shell.nix +++ b/shell.nix @@ -1,6 +1,7 @@ -{ sources ? import ./nix/sources.nix -, nixpkgs ? sources.nixpkgs -, pkgs ? import nixpkgs { } +{ + sources ? import ./nix/sources.nix, + nixpkgs ? sources.nixpkgs, + pkgs ? import nixpkgs { }, }: let @@ -9,6 +10,7 @@ in pkgs.mkShell { packages = [ bake + pkgs.nodejs_20 ]; buildInputs = [