You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by Dave Fisher <wa...@apache.org> on 2024/03/12 21:44:52 UTC
Re: (pulsar-site) branch main updated: Use alternative format for linefeed in markdown
Putting a blank line in between should do the same.
Best,
Dave
> On Mar 12, 2024, at 2:41 PM, lhotari@apache.org wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> lhotari pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/pulsar-site.git
>
>
> The following commit(s) were added to refs/heads/main by this push:
> new 582235f14b1d Use alternative format for linefeed in markdown
> 582235f14b1d is described below
>
> commit 582235f14b1ddfdd91eb734adc5574e12fd12e55
> Author: Lari Hotari <lh...@users.noreply.github.com>
> AuthorDate: Tue Mar 12 23:41:07 2024 +0200
>
> Use alternative format for linefeed in markdown
> ---
> security/CVE-2022-34321.md | 8 ++++----
> security/CVE-2023-30428.md | 10 +++++-----
> security/CVE-2023-30429.md | 8 ++++----
> security/CVE-2023-31007.md | 10 +++++-----
> security/CVE-2023-37544.md | 10 +++++-----
> security/CVE-2023-37579.md | 8 ++++----
> security/CVE-2023-51437.md | 8 ++++----
> security/CVE-2024-27135.md | 10 +++++-----
> security/CVE-2024-27317.md | 10 +++++-----
> security/CVE-2024-27894.md | 10 +++++-----
> security/CVE-2024-28098.md | 10 +++++-----
> 11 files changed, 51 insertions(+), 51 deletions(-)
>
> diff --git a/security/CVE-2022-34321.md b/security/CVE-2022-34321.md
> index e067bdf8664a..93c705ce9141 100644
> --- a/security/CVE-2022-34321.md
> +++ b/security/CVE-2022-34321.md
> @@ -15,10 +15,10 @@ This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2
>
> The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy's logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer's default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is b [...]
>
> -2.10 Pulsar Proxy users should upgrade to at least 2.10.6.\
> -2.11 Pulsar Proxy users should upgrade to at least 2.11.3.\
> -3.0 Pulsar Proxy users should upgrade to at least 3.0.2.\
> -3.1 Pulsar Proxy users should upgrade to at least 3.1.1.\
> +2.10 Pulsar Proxy users should upgrade to at least 2.10.6.<br/>
> +2.11 Pulsar Proxy users should upgrade to at least 2.11.3.<br/>
> +3.0 Pulsar Proxy users should upgrade to at least 3.0.2.<br/>
> +3.1 Pulsar Proxy users should upgrade to at least 3.1.1.<br/>
>
> Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it's imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.
>
> diff --git a/security/CVE-2023-30428.md b/security/CVE-2023-30428.md
> index 8a3df45a4da5..045c31dc760e 100644
> --- a/security/CVE-2023-30428.md
> +++ b/security/CVE-2023-30428.md
> @@ -15,11 +15,11 @@ The vulnerability is exploitable when an attacker can connect directly to the Pu
>
> There are two known risks for affected users. First, an attacker could produce garbage messages to any topic in the cluster. Second, an attacker could produce messages to the topic level policies topic for other tenants and influence topic settings that could lead to exfiltration and/or deletion of messages for other tenants.
>
> -2.8 Pulsar Broker users and earlier are unaffected.\
> -2.9 Pulsar Broker users should upgrade to one of the patched versions.\
> -2.10 Pulsar Broker users should upgrade to at least 2.10.4.\
> -2.11 Pulsar Broker users should upgrade to at least 2.11.1.\
> -3.0 Pulsar Broker users are unaffected.\
> +2.8 Pulsar Broker users and earlier are unaffected.<br/>
> +2.9 Pulsar Broker users should upgrade to one of the patched versions.<br/>
> +2.10 Pulsar Broker users should upgrade to at least 2.10.4.<br/>
> +2.11 Pulsar Broker users should upgrade to at least 2.11.1.<br/>
> +3.0 Pulsar Broker users are unaffected.<br/>
>
> ## Credit:
>
> diff --git a/security/CVE-2023-30429.md b/security/CVE-2023-30429.md
> index edd12a0f8ca7..ab7f05d88c60 100644
> --- a/security/CVE-2023-30429.md
> +++ b/security/CVE-2023-30429.md
> @@ -15,10 +15,10 @@ When a client connects to the Pulsar Function Worker via the Pulsar Proxy where
>
> The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
>
> -2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.\
> -2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.\
> -3.0 Pulsar Function Worker users are unaffected.\
> -Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.\
> +2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.<br/>
> +2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.<br/>
> +3.0 Pulsar Function Worker users are unaffected.<br/>
> +Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.<br/>
>
> ## Credit:
>
> diff --git a/security/CVE-2023-31007.md b/security/CVE-2023-31007.md
> index 2627b26c0332..421f7e01e1d7 100644
> --- a/security/CVE-2023-31007.md
> +++ b/security/CVE-2023-31007.md
> @@ -12,11 +12,11 @@ Improper Authentication vulnerability in Apache Software Foundation Apache Pulsa
>
> This issue affects Apache Pulsar: through 2.9.4, from 2.10.0 through 2.10.3, 2.11.0.
>
> -2.9 Pulsar Broker users should upgrade to at least 2.9.5.\
> -2.10 Pulsar Broker users should upgrade to at least 2.10.4.\
> -2.11 Pulsar Broker users should upgrade to at least 2.11.1.\
> -3.0 Pulsar Broker users are unaffected.\
> -Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.\
> +2.9 Pulsar Broker users should upgrade to at least 2.9.5.<br/>
> +2.10 Pulsar Broker users should upgrade to at least 2.10.4.<br/>
> +2.11 Pulsar Broker users should upgrade to at least 2.11.1.<br/>
> +3.0 Pulsar Broker users are unaffected.<br/>
> +Any users running the Pulsar Broker for 2.8.* and earlier should upgrade to one of the above patched versions.<br/>
>
> ## Credit:
>
> diff --git a/security/CVE-2023-37544.md b/security/CVE-2023-37544.md
> index a46997c73fde..12da9f24b13c 100644
> --- a/security/CVE-2023-37544.md
> +++ b/security/CVE-2023-37544.md
> @@ -16,11 +16,11 @@ This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from
>
> The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature.
>
> -2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.\
> -2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.\
> -3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.\
> -3.1 Pulsar WebSocket Proxy users are unaffected.\
> -Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.\
> +2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5.<br/>
> +2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2.<br/>
> +3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1.<br/>
> +3.1 Pulsar WebSocket Proxy users are unaffected.<br/>
> +Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.<br/>
>
> ## Credit:
>
> diff --git a/security/CVE-2023-37579.md b/security/CVE-2023-37579.md
> index 757a47776040..06d111674061 100644
> --- a/security/CVE-2023-37579.md
> +++ b/security/CVE-2023-37579.md
> @@ -15,10 +15,10 @@ Any authenticated user can retrieve a source's configuration or a sink's configu
>
> The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.
>
> -2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.\
> -2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.\
> -3.0 Pulsar Function Worker users are unaffected.\
> -Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.\
> +2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.<br/>
> +2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.<br/>
> +3.0 Pulsar Function Worker users are unaffected.<br/>
> +Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.<br/>
>
> ## Credit:
>
> diff --git a/security/CVE-2023-51437.md b/security/CVE-2023-51437.md
> index 88fc83b8dd06..6b1f3109df11 100644
> --- a/security/CVE-2023-51437.md
> +++ b/security/CVE-2023-51437.md
> @@ -14,10 +14,10 @@ Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes
>
> Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.
>
> -2.11 Pulsar users should upgrade to at least 2.11.3.\
> -3.0 Pulsar users should upgrade to at least 3.0.2.\
> -3.1 Pulsar users should upgrade to at least 3.1.1.\
> -Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.\
> +2.11 Pulsar users should upgrade to at least 2.11.3.<br/>
> +3.0 Pulsar users should upgrade to at least 3.0.2.<br/>
> +3.1 Pulsar users should upgrade to at least 3.1.1.<br/>
> +Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.<br/>
>
> For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .
>
> diff --git a/security/CVE-2024-27135.md b/security/CVE-2024-27135.md
> index a6795dcd13db..9beec9b5eebe 100644
> --- a/security/CVE-2024-27135.md
> +++ b/security/CVE-2024-27135.md
> @@ -16,11 +16,11 @@ Improper input validation in the Pulsar Function Worker allows a malicious authe
>
> This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
>
> -2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\
> -2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\
> -3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\
> -3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\
> -3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\
> +2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br/>
> +2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br/>
> +3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br/>
> +3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br/>
> +3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br/>
>
> Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
>
> diff --git a/security/CVE-2024-27317.md b/security/CVE-2024-27317.md
> index bfbf9e60d243..dffc0c23ffca 100644
> --- a/security/CVE-2024-27317.md
> +++ b/security/CVE-2024-27317.md
> @@ -14,11 +14,11 @@ In Pulsar Functions Worker, authenticated users can upload functions in jar or n
>
> This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
>
> -2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\
> -2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\
> -3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\
> -3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\
> -3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\
> +2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br/>
> +2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br/>
> +3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br/>
> +3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br/>
> +3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br/>
>
> Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
>
> diff --git a/security/CVE-2024-27894.md b/security/CVE-2024-27894.md
> index fff6545c897b..b1a5c8ff3cf7 100644
> --- a/security/CVE-2024-27894.md
> +++ b/security/CVE-2024-27894.md
> @@ -15,11 +15,11 @@ This vulnerability also applies to the Pulsar Broker when it is configured with
>
> This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
>
> -2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.\
> -2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.\
> -3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.\
> -3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.\
> -3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.\
> +2.10 Pulsar Function Worker users should upgrade to at least 2.10.6.<br/>
> +2.11 Pulsar Function Worker users should upgrade to at least 2.11.4.<br/>
> +3.0 Pulsar Function Worker users should upgrade to at least 3.0.3.<br/>
> +3.1 Pulsar Function Worker users should upgrade to at least 3.1.3.<br/>
> +3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.<br/>
>
> Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
>
> diff --git a/security/CVE-2024-28098.md b/security/CVE-2024-28098.md
> index f727a03eda9a..e1494d586a85 100644
> --- a/security/CVE-2024-28098.md
> +++ b/security/CVE-2024-28098.md
> @@ -14,11 +14,11 @@ The vulnerability allows authenticated users with only produce or consume permis
>
> This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
>
> -2.10 Apache Pulsar users should upgrade to at least 2.10.6.\
> -2.11 Apache Pulsar users should upgrade to at least 2.11.4.\
> -3.0 Apache Pulsar users should upgrade to at least 3.0.3.\
> -3.1 Apache Pulsar users should upgrade to at least 3.1.3.\
> -3.2 Apache Pulsar users should upgrade to at least 3.2.1.\
> +2.10 Apache Pulsar users should upgrade to at least 2.10.6.<br/>
> +2.11 Apache Pulsar users should upgrade to at least 2.11.4.<br/>
> +3.0 Apache Pulsar users should upgrade to at least 3.0.3.<br/>
> +3.1 Apache Pulsar users should upgrade to at least 3.1.3.<br/>
> +3.2 Apache Pulsar users should upgrade to at least 3.2.1.<br/>
>
> Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
>
>
Re: (pulsar-site) branch main updated: Use alternative format for linefeed in markdown
Posted by Dave Fisher <wa...@apache.org>.
> On Mar 12, 2024, at 3:32 PM, Lari Hotari <lh...@apache.org> wrote:
>
> On 2024/03/12 21:44:52 Dave Fisher wrote:
>> Putting a blank line in between should do the same.
>
> There seem to be differences.
>
> A blank line in between will create separate paragraphs, example here:
> https://pulsar.apache.org/security/CVE-2022-24280/
>
> This is the result with <br/>:
> https://pulsar.apache.org/security/CVE-2024-27135/
>
So it may be a bulleted list is best of all?
Best,
Dave
> -Lari
Re: (pulsar-site) branch main updated: Use alternative format for linefeed in markdown
Posted by Lari Hotari <lh...@apache.org>.
On 2024/03/12 21:44:52 Dave Fisher wrote:
> Putting a blank line in between should do the same.
There seem to be differences.
A blank line in between will create separate paragraphs, example here:
https://pulsar.apache.org/security/CVE-2022-24280/
This is the result with <br/>:
https://pulsar.apache.org/security/CVE-2024-27135/
-Lari