You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/03/09 17:25:09 UTC
[GitHub] [pulsar] nicoloboschi opened a new pull request #14629: [owasp] add suppressions for Kotlin stdlib CVE-2022-24329
nicoloboschi opened a new pull request #14629:
URL: https://github.com/apache/pulsar/pull/14629
Follow-up of https://github.com/apache/pulsar/pull/14579.
### Motivation
OWASP checker reports this vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2022-24329
for Kotlin < 1.6.x
Currently we import Kotlin 1.4.32 from OkHttp3 (see https://github.com/apache/pulsar/pull/13065).
CVE-2022-24329 is rated as mid CVSS level (5.0).
Kotlin is used only by the Kubernetes client runtime lib.
Given that:
* Pulsar codebase doesn't have a good coverage for K8S client
* The vulnerability is mid level
* The vulnerability doesn't look relevant for Pulsar
It's safer to add the suppression instead of upgrading it without testing it.
### Modifications
- Add the supression for Kotlin 1.4.32 for the cve CVE-2022-24329
- [x] `no-need-doc`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #14629: [owasp] add suppressions for Kotlin stdlib CVE-2022-24329
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on pull request #14629:
URL: https://github.com/apache/pulsar/pull/14629#issuecomment-1063179144
need to be cherry-picked to 2.9 as well https://github.com/apache/pulsar/runs/5473308768?check_suite_focus=true
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] lhotari commented on pull request #14629: [owasp] add suppression for Kotlin stdlib CVE-2022-24329
Posted by GitBox <gi...@apache.org>.
lhotari commented on pull request #14629:
URL: https://github.com/apache/pulsar/pull/14629#issuecomment-1063310806
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org