Bug 201527 - devel/hadoop2: bundled version of tomcat is vulnerable, unnecessary
Summary: devel/hadoop2: bundled version of tomcat is vulnerable, unnecessary
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Dmitry Sivachenko
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-13 13:44 UTC by Mark Felder
Modified: 2018-10-04 15:49 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (demon)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Felder freebsd_committer freebsd_triage 2015-07-13 13:44:24 UTC 
hadoop2 bundles Tomcat 6.0.41 which is unnecessary and currently a security vulnerability. You should be able to require www/tomcat6 as a RUN_DEPENDENCY instead. Tomcat has the ability for different programs to share a single installation via the use of CATALINA_HOME and CATALINA_BASE using something like this:

CATALINA_HOME=${LOCALBASE}/apache-tomcat-6.0
CATALINA_BASE=${LOCALBASE}/share/hadoop/httpfs/tomcat

and for the kms part of the app:

CATALINA_BASE=${LOCALBASE}/share/hadoop/kms/tomcat

The CATALINA_HOME should point to the system-installed Tomcat and CATALINA_BASE is where you want your own private {bin,conf,logs,temp,webapps,work} dirs. (bin is usually only used if you want to supply a setenv.sh script to override any ENVs internal to Tomcat)

I do not know how to run or test hadoop, but if you would like my assistance I can help with this if you can do the testing.


Thanks!
Comment 1 Dmitry Sivachenko freebsd_committer freebsd_triage 2015-07-13 14:48:42 UTC 
Hadoop uses a lot of other external deps which could in theory be installed as a separate packages.

As far as I understand maven build system hadoop uses, they pull all these deps (tomcat included) to be sure they won't break compatibility when these deps are updated.

So I do not think it is wise to take tomcat out of control.

hadoop-2.7.1 released recently (July, 6) also has 6.0.41 version requirement.

I think we should rather poke hadoop developers to address this issue.

PS: hadoop is rather complex beast, especially provided FreeBSD is not officially supported and thorough testing is required before switching to any newer version.
See the number of patches we have in ports/hadoop2, any upcoming version can potentially introduce something new, and this can only be detected in run-time :(

Also hadoop is kind of software which is not supposed to be exposed to the Internet, but rather used in closed environments. (*)

Having all these in mind, I would rather put some kind of warning in ports, but do not blindly following any version change, especially having (*) in mind.  Otherwise we will end up with port which has no formal security vulnerabilities but is not thoroughly tested and has broken functionality.

(We are also manually pulling older Jetty release, which also has some vulnerabilities IIRC, but version which is bundled with hadoop is broken on FreeBSD)
Comment 2 Walter Schwarzenfeld 2018-01-12 06:56:49 UTC 
Looks like it is overcome by events (?).