You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/07/11 07:43:33 UTC

[GitHub] [pulsar] nicoloboschi opened a new pull request, #16520: [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047

nicoloboschi opened a new pull request, #16520:
URL: https://github.com/apache/pulsar/pull/16520

   ### Motivation
   
   Owasp check fails because jetty 9.4.44 is marked as vulnerable due to [CVE-2022-2047](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2047)
   
   Note that Jetty 9.4.x is EOL after `9.4.48.v20220622` 
   
   ### Modifications
   
   * Upgrade to latest 9.4.x (9.4.48.v20220622)
   (see https://github.com/eclipse/jetty.project/releases)
   
   - [x] `doc-not-needed` 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on a diff in pull request #16520: [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on code in PR #16520:
URL: https://github.com/apache/pulsar/pull/16520#discussion_r918646512


##########
src/owasp-dependency-check-false-positives.xml:
##########
@@ -158,4 +158,13 @@
     <sha1>1a754a5dd672218a2ac667d7ff2b28df7a5a240e</sha1>
     <cve>CVE-2022-25647</cve>
   </suppress>
+
+  <!-- 9.4.x is not affected https://github.com/eclipse/jetty.project/issues/8161#issuecomment-1178728623-->
+  <suppress>

Review Comment:
   Our jetty version is still vulnerable to https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q 
   so it's better to upgrade



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] merlimat merged pull request #16520: [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047

Posted by GitBox <gi...@apache.org>.

merlimat merged PR #16520:
URL: https://github.com/apache/pulsar/pull/16520


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] tisonkun commented on a diff in pull request #16520: [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047

Posted by GitBox <gi...@apache.org>.

tisonkun commented on code in PR #16520:
URL: https://github.com/apache/pulsar/pull/16520#discussion_r918525317


##########
src/owasp-dependency-check-false-positives.xml:
##########
@@ -158,4 +158,13 @@
     <sha1>1a754a5dd672218a2ac667d7ff2b28df7a5a240e</sha1>
     <cve>CVE-2022-25647</cve>
   </suppress>
+
+  <!-- 9.4.x is not affected https://github.com/eclipse/jetty.project/issues/8161#issuecomment-1178728623-->
+  <suppress>

Review Comment:
   We can revert this change since upstream has fixed the false positive https://github.com/eclipse/jetty.project/issues/8161.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #16520: [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on PR #16520:
URL: https://github.com/apache/pulsar/pull/16520#issuecomment-1181781963

   /pulsarbot rerun-failure-checks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] tisonkun commented on a diff in pull request #16520: [fix][security] Upgrade to Jetty to 9.4.48.v20220622 to get rid of CVE-2022-2047

Posted by GitBox <gi...@apache.org>.

tisonkun commented on code in PR #16520:
URL: https://github.com/apache/pulsar/pull/16520#discussion_r918525908


##########
src/owasp-dependency-check-false-positives.xml:
##########
@@ -158,4 +158,13 @@
     <sha1>1a754a5dd672218a2ac667d7ff2b28df7a5a240e</sha1>
     <cve>CVE-2022-25647</cve>
   </suppress>
+
+  <!-- 9.4.x is not affected https://github.com/eclipse/jetty.project/issues/8161#issuecomment-1178728623-->
+  <suppress>

Review Comment:
   My latest OWASP check gave green here: https://github.com/apache/pulsar/runs/7294406368?check_suite_focus=true
   
   So I wonder even whether we should bump jetty version, while bump to new version is always a valid improvement from my side.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org