You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/03/09 17:25:09 UTC

[GitHub] [pulsar] nicoloboschi opened a new pull request #14629: [owasp] add suppressions for Kotlin stdlib CVE-2022-24329

nicoloboschi opened a new pull request #14629:
URL: https://github.com/apache/pulsar/pull/14629


   Follow-up of https://github.com/apache/pulsar/pull/14579.
   
   ### Motivation
   OWASP checker reports this vulnerability
   https://nvd.nist.gov/vuln/detail/CVE-2022-24329 
   for Kotlin < 1.6.x
   
   Currently we import Kotlin 1.4.32 from OkHttp3 (see https://github.com/apache/pulsar/pull/13065).
   CVE-2022-24329  is rated as mid CVSS level (5.0).
   Kotlin is used only by the Kubernetes client runtime lib.
   
   Given that:
   * Pulsar codebase doesn't have a good coverage for K8S client
   * The vulnerability is mid level
   * The vulnerability doesn't look relevant for Pulsar
   
   It's safer to add the suppression instead of upgrading it without testing it.
   
   ### Modifications
   - Add the supression for Kotlin 1.4.32 for the cve CVE-2022-24329
   
    - [x] `no-need-doc` 
     


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #14629: [owasp] add suppressions for Kotlin stdlib CVE-2022-24329

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on pull request #14629:
URL: https://github.com/apache/pulsar/pull/14629#issuecomment-1063179144


   need to be cherry-picked to 2.9 as well https://github.com/apache/pulsar/runs/5473308768?check_suite_focus=true


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] lhotari commented on pull request #14629: [owasp] add suppression for Kotlin stdlib CVE-2022-24329

Posted by GitBox <gi...@apache.org>.

lhotari commented on pull request #14629:
URL: https://github.com/apache/pulsar/pull/14629#issuecomment-1063310806


   /pulsarbot run-failure-checks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org