You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@inlong.apache.org by GitBox <gi...@apache.org> on 2022/02/09 03:33:48 UTC

[GitHub] [incubator-inlong] pjfanning opened a new issue #2408: [Audit] protobuf-java dependency has security vulnerability

pjfanning opened a new issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408


   ### What happened
   
   [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569)
   
   
   ### What you expected to happen
   
   you might also need to upgrade other services to match the new version of protobuf you choose
   
   ### How to reproduce
   
   n/a
   
   ### Environment
   
   _No response_
   
   ### InLong version
   
   master
   
   ### InLong Component
   
   InLong Audit
   
   ### Are you willing to submit PR?
   
   - [ ] Yes, I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1035821536


   This component needs to be upgraded to at least 3.6.1


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] pjfanning edited a comment on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

pjfanning edited a comment on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1036067454


   3.16.1 is the oldest version without a cve - https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java
   
   might be worth considering 3.19.4 though - if protobuf-java follows semantic versioning rules, this version should be mainly compatible with 3.16.1 but would have more non-security fixes


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] pjfanning commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

pjfanning commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1036067454


   3.16.1 is the oldest version without a cve - https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1077331651


   @pjfanning, you are right, let's upgrade to 3.19.4 to see if each module is compatible.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] dockerzhang closed issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

dockerzhang closed issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1035817193


   Thanks @pjfanning 
   
   There is no limit to the protobuf version, this component only uses it to encode and decode messages.
   
   We can adjust it according to our own environment when actually compiling and deploying, as long as the entire project can be compiled and passed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1077355480


   Ok, thanks @pjfanning and @doleyzi 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] dockerzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

dockerzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1035745326


   Do you have a suggestion about which version for `protobuf-java` could fix this issue? InLong is using `2.5.0` for all modules now.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] doleyzi commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

doleyzi commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1077354519


   I upgrade protobuf version 3.19.4


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] pjfanning commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

pjfanning commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1074526660


   Generally, it isn't a good idea to use jars that have publicly disclosed security issues. It also makes the project and the ASF look bad. Generally, jars get better over time (if they are maintained and used by many users) - there are exceptions but they are rare.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-inlong] gosonzhang commented on issue #2408: [Audit] protobuf-java dependency has security vulnerability

Posted by GitBox <gi...@apache.org>.

gosonzhang commented on issue #2408:
URL: https://github.com/apache/incubator-inlong/issues/2408#issuecomment-1036951406


   Well, yes, 3.6.1 is the recommended minimum version, and this version is not safe anymore
   
   This place also wants to hear your suggestions, do third-party components have to be upgraded? When should an upgrade be required? When I see the components with these problems, in addition to security vulnerabilities, I think more about the performance and stability of the new version of the components, as well as interface compatibility issues, whether the performance has dropped significantly, and whether new vulnerabilities have been implanted.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org