This is an automated email from the ASF dual-hosted git repository.
stigahuang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
The following commit(s) were added to refs/heads/master by this push:
new 4f457facd IMPALA-13406: Switch to curl 8.10.1 to resolve CVEs
4f457facd is described below
commit 4f457facdf134226118dfd29517da569abf754e1
Author: Joe McDonnell <[email protected]>
AuthorDate: Thu Sep 26 12:27:05 2024 -0700
IMPALA-13406: Switch to curl 8.10.1 to resolve CVEs
This bumps the toolchain build and switches the version
of Curl to 8.10.1. This resolves several medium and low
severity CVEs that are present in Curl 7.78. See
https://curl.se/docs/vuln-7.78.0.html
This also changed the Curl build to stop including
unnecessary features like TELNET/GOPHER/FTP/etc. That
also reduces the surface area for CVEs.
An error message changed slightly in the new Curl
version, so this updates the test to match.
Testing:
- Ran an exhaustive job
Change-Id: I844578187f1f3f791e4e02d7d686c3e444963806
Reviewed-on: http://gerrit.cloudera.org:8080/21858
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Michael Smith <[email protected]>
---
bin/impala-config.sh | 8 ++++----
fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/bin/impala-config.sh b/bin/impala-config.sh
index 336a1631c..363236b93 100755
--- a/bin/impala-config.sh
+++ b/bin/impala-config.sh
@@ -81,13 +81,13 @@ export USE_AVRO_CPP=${USE_AVRO_CPP:=false}
# moving to a different build of the toolchain, e.g. when a version is bumped
or a
# compile option is changed. The build id can be found in the output of the
toolchain
# build jobs, it is constructed from the build number and toolchain git hash
prefix.
-export IMPALA_TOOLCHAIN_BUILD_ID_AARCH64=51-e06c7dcb96
-export IMPALA_TOOLCHAIN_BUILD_ID_X86_64=475-e06c7dcb96
+export IMPALA_TOOLCHAIN_BUILD_ID_AARCH64=56-810d0f4757
+export IMPALA_TOOLCHAIN_BUILD_ID_X86_64=486-810d0f4757
export IMPALA_TOOLCHAIN_REPO=\
${IMPALA_TOOLCHAIN_REPO:-https://github.com/cloudera/native-toolchain.git}
export IMPALA_TOOLCHAIN_BRANCH=${IMPALA_TOOLCHAIN_BRANCH:-master}
export IMPALA_TOOLCHAIN_COMMIT_HASH=\
-${IMPALA_TOOLCHAIN_COMMIT_HASH-e06c7dcb9663a5df08a6bda025d82806762d019f}
+${IMPALA_TOOLCHAIN_COMMIT_HASH-810d0f47572d9ac4036c34eb2ad6342d51d510cd}
# Compare the build ref in build IDs by removing everything
up-to-and-including the
# first hyphen.
if [ "${IMPALA_TOOLCHAIN_BUILD_ID_AARCH64#*-}" \
@@ -121,7 +121,7 @@ export IMPALA_CMAKE_VERSION=3.22.2
unset IMPALA_CMAKE_URL
export IMPALA_CRCUTIL_VERSION=2903870057d2f1f109b245650be29e856dc8b646
unset IMPALA_CRCUTIL_URL
-export IMPALA_CURL_VERSION=7.78.0
+export IMPALA_CURL_VERSION=8.10.1
unset IMPALA_CURL_URL
export IMPALA_CYRUS_SASL_VERSION=2.1.23
unset IMPALA_CYRUS_SASL_URL
diff --git a/fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java
b/fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java
index 87fe47033..dd991c1c0 100644
--- a/fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java
+++ b/fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java
@@ -487,7 +487,7 @@ public class JwtHttpTest {
String expectedErrString = String.format("Impalad services did not start
correctly, "
+ "exiting. Error: Error downloading JWKS from '%s': Network error:
curl "
+ "error: SSL peer certificate or SSH remote key was not OK: SSL: "
- + "certificate subject name '%s' does not match target host name '%s'",
+ + "certificate subject name '%s' does not match target hostname '%s'",
jwksHttpUrl, certCN, "localhost");
// cluster start will fail because the TLS cert returned by the
