You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/06/28 06:03:23 UTC
[GitHub] [pulsar] mattisonchao opened a new pull request, #16260: [Branch 2.10] Fix some OWASP dependency problems.
mattisonchao opened a new pull request, #16260:
URL: https://github.com/apache/pulsar/pull/16260
### Motivation
Fix some OWASP dependency problems, the details as below:
- #16148
- #15829
- #15864
### Modifications
- Fix some OWASP dependency problems
### Verifying this change
- [x] Make sure that the change passes the CI checks.
*(Please pick either of the following options)*
This change is a trivial rework / code cleanup without any test coverage.
*(or)*
This change is already covered by existing tests, such as *(please describe tests)*.
*(or)*
This change added tests and can be verified as follows:
*(example:)*
- *Added integration tests for end-to-end deployment with large payloads (10MB)*
- *Extended integration test for recovery after broker failure*
### Documentation
Check the box below or label this PR directly.
Need to update docs?
- [ ] `doc-required`
(Your PR needs to update docs and you will update later)
- [x] `doc-not-needed`
(Please explain why)
- [ ] `doc`
(Your PR contains doc changes)
- [ ] `doc-complete`
(Docs have been already added)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] mattisonchao merged pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.
Posted by GitBox <gi...@apache.org>.
mattisonchao merged PR #16260:
URL: https://github.com/apache/pulsar/pull/16260
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] mattisonchao commented on pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.
Posted by GitBox <gi...@apache.org>.
mattisonchao commented on PR #16260:
URL: https://github.com/apache/pulsar/pull/16260#issuecomment-1168453574
I found we still have CVE in branch-2.10. But don't find any related fix at master.
```xml
mariadb-java-client-2.7.5.jar
<cve>CVE-2022-27444</cve>
<cve>CVE-2022-27446</cve>
<cve>CVE-2022-27449</cve>
<cve>CVE-2022-27451</cve>
<cve>CVE-2022-27452</cve>
<cve>CVE-2022-27455</cve>
<cve>CVE-2022-27457</cve>
```
These CVEs are about the server and they do not impact the client.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] mattisonchao commented on pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.
Posted by GitBox <gi...@apache.org>.
mattisonchao commented on PR #16260:
URL: https://github.com/apache/pulsar/pull/16260#issuecomment-1168640379
Why doesn't the master branch report these problems? : (
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] mattisonchao commented on pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.
Posted by GitBox <gi...@apache.org>.
mattisonchao commented on PR #16260:
URL: https://github.com/apache/pulsar/pull/16260#issuecomment-1168631998
Another exception
```java
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: aether-connector-asynchttpclient-1.13.1.jar: CVE-2017-14063, CVE-2021-43138
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: async-http-client-1.6.5.jar: CVE-2021-43138
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: logback-core-1.2.3.jar: CVE-2021-42[55](https://github.com/apache/pulsar/runs/7089411725?check_suite_focus=true#step:8:56)0
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-compat-3.0.5.jar: CVE-2021-26291
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-core-3.0.5.jar: CVE-2021-26291
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-settings-3.0.5.jar: CVE-2021-26291
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: netty-3.10.6.Final.jar: CVE-2019-16869, CVE-2021-37136, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: okhttp-3.14.9.jar: CVE-2021-0341
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: plexus-utils-2.0.6.jar: CVE-2017-1000487
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: presto-cli-332.jar: CVE-2020-15087
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on PR #16260:
URL: https://github.com/apache/pulsar/pull/16260#issuecomment-1168716344
@mattisonchao pulsar-sql cve should not block, can you check what's going on the job ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org