You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/06/17 11:21:08 UTC
[GitHub] [pulsar] tisonkun opened a new pull request, #16110: [security] Bump ES client version to 8.2.3
tisonkun opened a new pull request, #16110:
URL: https://github.com/apache/pulsar/pull/16110
### Motivation
This fixes CVE-2022-23712.
### Does this pull request potentially affect one of the following parts:
*If `yes` was chosen, please highlight the changes*
- Dependencies (does it add or upgrade a dependency): (yes)
This fixes CVE-2022-23712.
- The public API: (yes / no)
- The schema: (yes / no / don't know)
- The default values of configurations: (yes / no)
- The wire protocol: (yes / no)
- The rest endpoints: (yes / no)
- The admin cli options: (yes / no)
- Anything that affects deployment: (yes / no / don't know)
### Documentation
Check the box below or label this PR directly.
Need to update docs?
- [ ] `doc-required`
(Your PR needs to update docs and you will update later)
- [x] `doc-not-needed`
(Please explain why)
- [ ] `doc`
(Your PR contains doc changes)
- [ ] `doc-complete`
(Docs have been already added)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on a diff in pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on code in PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#discussion_r901605904
##########
src/owasp-dependency-check-suppressions.xml:
##########
@@ -37,7 +37,19 @@
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
- <!-- see https://github.com/apache/pulsar/pull/14629-->
+ <!-- see https://github.com/apache/pulsar/pull/16110 -->
+ <suppress>
+ <notes>CVE-2022-23712 is only related to Elastic server</notes>
+ <gav>co.elastic.clients:elasticsearch-java:8.1.0</gav>
Review Comment:
Actually I open the OWASP html report and click on the "add suppression" button to get the SHA-1.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1161301802
Thanks for your review!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on a diff in pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on code in PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#discussion_r901046539
##########
src/owasp-dependency-check-suppressions.xml:
##########
@@ -37,7 +37,19 @@
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
- <!-- see https://github.com/apache/pulsar/pull/14629-->
+ <!-- see https://github.com/apache/pulsar/pull/16110 -->
+ <suppress>
+ <notes>CVE-2022-23712 is only related to Elastic server</notes>
+ <gav>co.elastic.clients:elasticsearch-java:8.1.0</gav>
Review Comment:
It seems that I can get the value of `sha1` from https://repo1.maven.org/maven2/co/elastic/clients/elasticsearch-java/8.1.0/elasticsearch-java-8.1.0.jar.sha1 and ditto rest-client.
I'll make an update but still wonder what's the benefit it brings.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on a diff in pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on code in PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#discussion_r900690424
##########
src/owasp-dependency-check-suppressions.xml:
##########
@@ -37,7 +37,19 @@
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
- <!-- see https://github.com/apache/pulsar/pull/14629-->
+ <!-- see https://github.com/apache/pulsar/pull/16110 -->
+ <suppress>
+ <notes>CVE-2022-23712 is only related to Elastic server</notes>
+ <gav>co.elastic.clients:elasticsearch-java:8.1.0</gav>
Review Comment:
Hi @nicoloboschi what's the different between `gav` and `sha1`, or what's the benefit to use `sha1`? Also, how can I get the corresponding `sha1` of this artifact?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1159670226
Tests failed on CI - Build - MacOS / Unit-BROKER_FLAKY Tests. I think it's flaky test since #16109 passed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1158921691
> CI - CPP, Python Tests / cpp-tests (pull_request)
@nicoloboschi I don't think this patch causes this task failure..
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on a diff in pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on code in PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#discussion_r901625812
##########
src/owasp-dependency-check-suppressions.xml:
##########
@@ -37,7 +37,19 @@
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
- <!-- see https://github.com/apache/pulsar/pull/14629-->
+ <!-- see https://github.com/apache/pulsar/pull/16110 -->
+ <suppress>
+ <notes>CVE-2022-23712 is only related to Elastic server</notes>
+ <gav>co.elastic.clients:elasticsearch-java:8.1.0</gav>
Review Comment:
Thanks for your information! I've addressed this comment.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1160385673
@tisonkun we have to do the upgrade of fastjson in another pull. WIll merge this one even if the OWASP will fail but it's better to have two different pulls (easier to revert, to cherry-pick)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1160406665
Updated.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi merged pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
nicoloboschi merged PR #16110:
URL: https://github.com/apache/pulsar/pull/16110
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1159617484
Now it report a new vulnerability. Shall I include the resolution in this PR?
```
Error: Failed to execute goal org.owasp:dependency-check-maven:7.1.0:aggregate (default) on project pulsar:
Error:
Error: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
Error:
Error: fastjson-1.2.73.jar: CVE-2022-25[8](https://github.com/apache/pulsar/runs/6952840802?check_suite_focus=true#step:8:9)45(9.8)
Error:
Error: See the dependency-check report for more details.
Error: -> [Help 1]
Error:
Error: To see the full stack trace of the errors, re-run Maven with the -e switch.
Error: Re-run Maven using the -X switch to enable full debug logging.
Error:
Error: For more information about the errors and possible solutions, please read the following articles:
Error: [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
Error:
Error: After correcting the problems, you can resume the build with the command
Error: mvn <args> -rf :pulsar
Error: Process completed with exit code 1.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1160405909
@nicoloboschi thanks for your explanation. Will push a commit to revert fastjson changes and do it in another PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1160370894
cc @nicoloboschi @lhotari
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on a diff in pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on code in PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#discussion_r901605295
##########
src/owasp-dependency-check-suppressions.xml:
##########
@@ -37,7 +37,19 @@
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
- <!-- see https://github.com/apache/pulsar/pull/14629-->
+ <!-- see https://github.com/apache/pulsar/pull/16110 -->
+ <suppress>
+ <notes>CVE-2022-23712 is only related to Elastic server</notes>
+ <gav>co.elastic.clients:elasticsearch-java:8.1.0</gav>
Review Comment:
it's the suggested way: https://jeremylong.github.io/DependencyCheck/general/suppression.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on a diff in pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on code in PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#discussion_r900226700
##########
src/owasp-dependency-check-suppressions.xml:
##########
@@ -37,7 +37,19 @@
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
- <!-- see https://github.com/apache/pulsar/pull/14629-->
+ <!-- see https://github.com/apache/pulsar/pull/16110 -->
+ <suppress>
+ <notes>CVE-2022-23712 is only related to Elastic server</notes>
+ <gav>co.elastic.clients:elasticsearch-java:8.1.0</gav>
+ <cve>CVE-2022-23712</cve>
+ </suppress>
+ <suppress>
+ <notes>CVE-2022-23712 is only related to Elastic server</notes>
+ <gav>org.elasticsearch.client:elasticsearch-rest-client:8.1.0</gav>
Review Comment:
could you use the sha1 here?
##########
src/owasp-dependency-check-suppressions.xml:
##########
@@ -37,7 +37,19 @@
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
- <!-- see https://github.com/apache/pulsar/pull/14629-->
+ <!-- see https://github.com/apache/pulsar/pull/16110 -->
+ <suppress>
+ <notes>CVE-2022-23712 is only related to Elastic server</notes>
+ <gav>co.elastic.clients:elasticsearch-java:8.1.0</gav>
Review Comment:
could you use the sha1 here?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1159618912
I pushed a commit to update fastjson for the latest patch version. Otherwise CI always failed :(
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Bump ES client version to 8.2.3
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1158867535
@nicoloboschi Thanks! Will update it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16110: [security] Suppress CVE-2022-23712 warnings
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16110:
URL: https://github.com/apache/pulsar/pull/16110#issuecomment-1158936006
cc @lhotari
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org