You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/04/25 11:07:51 UTC

[GitHub] [pulsar] guyv opened a new issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.)

guyv opened a new issue #6818:
URL: https://github.com/apache/pulsar/issues/6818


   com.google.protobuf:protobuf-java:2.4.1 has a vulnerability issue: https://nvd.nist.gov/vuln/detail/CVE-2015-5237
   
   This jar is shaded for the pulsar java client.
   
   **Possible solution**
   upgrade to the latest version of protobuf (3.11.4)
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] gaoran10 edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)

Posted by GitBox <gi...@apache.org>.

gaoran10 edited a comment on issue #6818:
URL: https://github.com/apache/pulsar/issues/6818#issuecomment-620513436


   @guyv Hi, could you provide the pulsar client version? The jar `org.apache.pulsar:pulsar-client:jar:2.6.0-SNAPSHOT` dependency `com.google.protobuf:protobuf-java-util:jar:3.5.1`.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] sijie commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)

Posted by GitBox <gi...@apache.org>.

sijie commented on issue #6818:
URL: https://github.com/apache/pulsar/issues/6818#issuecomment-625014210


   @gaoran10 let's keep this issue open and not close it. We still need to figure out a long term sustainable solution about how we are going to do with protobuf 2.4 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] guyv edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)

Posted by GitBox <gi...@apache.org>.

guyv edited a comment on issue #6818:
URL: https://github.com/apache/pulsar/issues/6818#issuecomment-620760265


   @gaoran10  client version I use is 2.5.1. But I see the same issue exists on the master branch (2.6.0-SNAPSHOT)
   
   To be clear, it is about: <pulsar.protobuf.shaded.version>
   see: https://github.com/apache/pulsar/blob/master/pom.xml#L149
   
   The shaded version is 2.4.1
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] guyv commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)

Posted by GitBox <gi...@apache.org>.

guyv commented on issue #6818:
URL: https://github.com/apache/pulsar/issues/6818#issuecomment-620760265


   client version I use is 2.5.1. But I see the same issue exists on the master branch (2.6.0-SNAPSHOT)
   
   To be clear, it is about: <pulsar.protobuf.shaded.version>
   see: https://github.com/apache/pulsar/blob/master/pom.xml#L149
   
   The shaded version is 2.4.1
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] gaoran10 commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)

Posted by GitBox <gi...@apache.org>.

gaoran10 commented on issue #6818:
URL: https://github.com/apache/pulsar/issues/6818#issuecomment-624988915


   @guyv Hi, refer to sijie's commend, this issue could be closed.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] gaoran10 edited a comment on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)

Posted by GitBox <gi...@apache.org>.

gaoran10 edited a comment on issue #6818:
URL: https://github.com/apache/pulsar/issues/6818#issuecomment-624988915


   @guyv Hi, refer to sijie's comment, this issue could be closed.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] sijie commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)

Posted by GitBox <gi...@apache.org>.

sijie commented on issue #6818:
URL: https://github.com/apache/pulsar/issues/6818#issuecomment-621601193


   @guyv currently pulsar client is using a customized protobuf-2.4 version for processing the requests. It is used for avoiding generating a lot of objects and reducing the frequency of garbage collection. It is pretty hard for us to upgrade. We will look into how to address it in future releases.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] gaoran10 commented on issue #6818: pulsar-client vulnerability CVE-2015-5237 (shaded protobuf-java:2.4.1)

Posted by GitBox <gi...@apache.org>.

gaoran10 commented on issue #6818:
URL: https://github.com/apache/pulsar/issues/6818#issuecomment-620513436


   @guyv Could you provide the pulsar client version? The jar `org.apache.pulsar:pulsar-client:jar:2.6.0-SNAPSHOT` dependency `com.google.protobuf:protobuf-java-util:jar:3.5.1`.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org