You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@inlong.apache.org by GitBox <gi...@apache.org> on 2022/02/09 03:33:48 UTC
[GitHub] [incubator-inlong] pjfanning opened a new issue #2408: [Audit] protobuf-java dependency has security vulnerability
pjfanning opened a new issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408
### What happened
[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569)
### What you expected to happen
you might also need to upgrade other services to match the new version of protobuf you choose
### How to reproduce
n/a
### Environment
_No response_
### InLong version
master
### InLong Component
InLong Audit
### Are you willing to submit PR?
- [ ] Yes, I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1035821536
This component needs to be upgraded to at least 3.6.1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] pjfanning edited a comment on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
pjfanning edited a comment on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1036067454
3.16.1 is the oldest version without a cve - https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java
might be worth considering 3.19.4 though - if protobuf-java follows semantic versioning rules, this version should be mainly compatible with 3.16.1 but would have more non-security fixes
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] pjfanning commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
pjfanning commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1036067454
3.16.1 is the oldest version without a cve - https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1077331651
@pjfanning, you are right, let's upgrade to 3.19.4 to see if each module is compatible.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] dockerzhang closed issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
dockerzhang closed issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1035817193
Thanks @pjfanning
There is no limit to the protobuf version, this component only uses it to encode and decode messages.
We can adjust it according to our own environment when actually compiling and deploying, as long as the entire project can be compiled and passed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1077355480
Ok, thanks @pjfanning and @doleyzi
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] dockerzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
dockerzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1035745326
Do you have a suggestion about which version for `protobuf-java` could fix this issue? InLong is using `2.5.0` for all modules now.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] doleyzi commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
doleyzi commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1077354519
I upgrade protobuf version 3.19.4
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] pjfanning commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
pjfanning commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1074526660
Generally, it isn't a good idea to use jars that have publicly disclosed security issues. It also makes the project and the ASF look bad. Generally, jars get better over time (if they are maintained and used by many users) - there are exceptions but they are rare.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability
Posted by GitBox <gi...@apache.org>.
gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1036951406
Well, yes, 3.6.1 is the recommended minimum version, and this version is not safe anymore
This place also wants to hear your suggestions, do third-party components have to be upgraded? When should an upgrade be required? When I see the components with these problems, in addition to security vulnerabilities, I think more about the performance and stability of the new version of the components, as well as interface compatibility issues, whether the performance has dropped significantly, and whether new vulnerabilities have been implanted.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org