You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/02/16 03:40:20 UTC

[GitHub] [apisix] TARI0510 opened a new issue #6335: Is apisix 2.11.0 version affected by CVE-2022-24112?

TARI0510 opened a new issue #6335:
URL: https://github.com/apache/apisix/issues/6335


   ### Issue description
   
   2.11.0 version `batch-requests` is enabled by default
   https://github.com/apache/apisix/blob/2.11.0/conf/config-default.yaml#L310
   
   and 2.11.0 doesn't have patch code in 
   https://github.com/apache/apisix/blob/2.11.0/apisix/plugins/batch-requests.lua#L168
   
   here is CVE-2022-24112's patch code
   https://github.com/apache/apisix/pull/6251/files#diff-b80ee9fead226c0432f9e78cf5cae941641f9f685c49002f6a51310dd7134892R169
   
   but in announcement, it only refer to 2.10.x version and 2.12.x version
   
   ### Environment
   
   default environment


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on issue #6335: Is apisix 2.11.0 version affected by CVE-2022-24112?

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on issue #6335:
URL: https://github.com/apache/apisix/issues/6335#issuecomment-1041288605


   > Is apisix 2.11.0 version affected by CVE-2022-24112
   
   Yes, `apisix 2.11.0` was affected.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] TARI0510 commented on issue #6335: Is apisix 2.11.0 version affected by CVE-2022-24112?

Posted by GitBox <gi...@apache.org>.

TARI0510 commented on issue #6335:
URL: https://github.com/apache/apisix/issues/6335#issuecomment-1041297676


   Is there any plan to release a patch for 2.11.0? I see 2.10.x and 2.12.x have a patch version


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] TARI0510 commented on issue #6335: Is apisix 2.11.0 version affected by CVE-2022-24112?

Posted by GitBox <gi...@apache.org>.

TARI0510 commented on issue #6335:
URL: https://github.com/apache/apisix/issues/6335#issuecomment-1041386979


   ok!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] TARI0510 commented on issue #6335: Is apisix 2.11.0 version affected by CVE-2022-24112?

Posted by GitBox <gi...@apache.org>.

TARI0510 commented on issue #6335:
URL: https://github.com/apache/apisix/issues/6335#issuecomment-1041308257


   Ok, thanks to reply!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #6335: Is apisix 2.11.0 version affected by CVE-2022-24112?

Posted by GitBox <gi...@apache.org>.

tzssangglass commented on issue #6335:
URL: https://github.com/apache/apisix/issues/6335#issuecomment-1041302551


   `2.11.0` is not LTS version, won't backport to this version. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on issue #6335: Is apisix 2.11.0 version affected by CVE-2022-24112?

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on issue #6335:
URL: https://github.com/apache/apisix/issues/6335#issuecomment-1041311263


   It's recommended to upgrade APISIX to the latest version `2.12.1`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] TARI0510 closed issue #6335: Is apisix 2.11.0 version affected by CVE-2022-24112?

Posted by GitBox <gi...@apache.org>.

TARI0510 closed issue #6335:
URL: https://github.com/apache/apisix/issues/6335


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org