You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/06/28 06:03:23 UTC

[GitHub] [pulsar] mattisonchao opened a new pull request, #16260: [Branch 2.10] Fix some OWASP dependency problems.

mattisonchao opened a new pull request, #16260:
URL: https://github.com/apache/pulsar/pull/16260

   ### Motivation
   
   Fix some OWASP dependency problems, the details as below:
   
   - #16148 
   - #15829
   - #15864
   
   ### Modifications
   
   - Fix some OWASP dependency problems
   
   ### Verifying this change
   
   - [x] Make sure that the change passes the CI checks.
   
   *(Please pick either of the following options)*
   
   This change is a trivial rework / code cleanup without any test coverage.
   
   *(or)*
   
   This change is already covered by existing tests, such as *(please describe tests)*.
   
   *(or)*
   
   This change added tests and can be verified as follows:
   
   *(example:)*
     - *Added integration tests for end-to-end deployment with large payloads (10MB)*
     - *Extended integration test for recovery after broker failure*
   
   ### Documentation
   
   Check the box below or label this PR directly.
   
   Need to update docs? 
   
   - [ ] `doc-required` 
   (Your PR needs to update docs and you will update later)
     
   - [x] `doc-not-needed` 
   (Please explain why)
     
   - [ ] `doc` 
   (Your PR contains doc changes)
   
   - [ ] `doc-complete`
   (Docs have been already added)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] mattisonchao merged pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.

Posted by GitBox <gi...@apache.org>.

mattisonchao merged PR #16260:
URL: https://github.com/apache/pulsar/pull/16260


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] mattisonchao commented on pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.

Posted by GitBox <gi...@apache.org>.

mattisonchao commented on PR #16260:
URL: https://github.com/apache/pulsar/pull/16260#issuecomment-1168453574

   I found we still have CVE in branch-2.10.  But don't find any related fix at master.
   
   ```xml
   mariadb-java-client-2.7.5.jar
       <cve>CVE-2022-27444</cve>
       <cve>CVE-2022-27446</cve>
       <cve>CVE-2022-27449</cve>
       <cve>CVE-2022-27451</cve>
       <cve>CVE-2022-27452</cve>
       <cve>CVE-2022-27455</cve>
       <cve>CVE-2022-27457</cve>
   ```
   These CVEs are about the server and they do not impact the client.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] mattisonchao commented on pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.

Posted by GitBox <gi...@apache.org>.

mattisonchao commented on PR #16260:
URL: https://github.com/apache/pulsar/pull/16260#issuecomment-1168640379

   Why doesn't the master branch report these problems?  : (


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] mattisonchao commented on pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.

Posted by GitBox <gi...@apache.org>.

mattisonchao commented on PR #16260:
URL: https://github.com/apache/pulsar/pull/16260#issuecomment-1168631998

   Another exception
   ```java
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: aether-connector-asynchttpclient-1.13.1.jar: CVE-2017-14063, CVE-2021-43138
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: async-http-client-1.6.5.jar: CVE-2021-43138
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: logback-core-1.2.3.jar: CVE-2021-42[55](https://github.com/apache/pulsar/runs/7089411725?check_suite_focus=true#step:8:56)0
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-compat-3.0.5.jar: CVE-2021-26291
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-core-3.0.5.jar: CVE-2021-26291
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-settings-3.0.5.jar: CVE-2021-26291
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: netty-3.10.6.Final.jar: CVE-2019-16869, CVE-2021-37136, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: okhttp-3.14.9.jar: CVE-2021-0341
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: plexus-utils-2.0.6.jar: CVE-2017-1000487
   Error:  pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: presto-cli-332.jar: CVE-2020-15087
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #16260: [Branch 2.10] Fix some OWASP dependency problems.

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on PR #16260:
URL: https://github.com/apache/pulsar/pull/16260#issuecomment-1168716344

   @mattisonchao pulsar-sql cve should not block, can you check what's going on the job ? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org