You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pulsar.apache.org by Yunze Xu <yz...@streamnative.io.INVALID> on 2023/02/08 02:49:09 UTC

Pulsar Cpp client release 3.1.2

Hi all,

There is a serious OAuth2 authentication regression [1] for all
existing C++ client 3.x.y releases. I see many users tend to downgrade
to old versions like 2.10.2. This behavior is dangerous because of the
CVE.

The fix [2] is now merged, so I decided to start a 3.1.2 release ASAP,
though the 3.1.1 release is not formally announced yet. The Python
3.1.0 release in progress and the Node.js 1.8.1 release will depend on
this version.

[1] https://lists.apache.org/thread/6rrq4lj965rm0zqk9rtwwf6gcqb02220
[2] https://github.com/apache/pulsar-client-cpp/pull/190

Thanks,
Yunze

Re: Pulsar Cpp client release 3.1.2

Posted by Michael Marshall <mm...@apache.org>.

+1, thank you for fixing this issue, Yunze.

- Michael

On Tue, Feb 7, 2023 at 9:11 PM Zike Yang <zi...@apache.org> wrote:
>
> +1
>
> Thanks,
> Zike Yang
>
> On Wed, Feb 8, 2023 at 11:08 AM Matteo Merli <ma...@gmail.com> wrote:
> >
> > +1
> > --
> > Matteo Merli
> > <ma...@gmail.com>
> >
> > On Tue, Feb 7, 2023 at 6:49 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> > >
> > > Hi all,
> > >
> > > There is a serious OAuth2 authentication regression [1] for all
> > > existing C++ client 3.x.y releases. I see many users tend to downgrade
> > > to old versions like 2.10.2. This behavior is dangerous because of the
> > > CVE.
> > >
> > > The fix [2] is now merged, so I decided to start a 3.1.2 release ASAP,
> > > though the 3.1.1 release is not formally announced yet. The Python
> > > 3.1.0 release in progress and the Node.js 1.8.1 release will depend on
> > > this version.
> > >
> > > [1] https://lists.apache.org/thread/6rrq4lj965rm0zqk9rtwwf6gcqb02220
> > > [2] https://github.com/apache/pulsar-client-cpp/pull/190
> > >
> > > Thanks,
> > > Yunze

Re: Pulsar Cpp client release 3.1.2

Posted by Zike Yang <zi...@apache.org>.

+1

Thanks,
Zike Yang

On Wed, Feb 8, 2023 at 11:08 AM Matteo Merli <ma...@gmail.com> wrote:
>
> +1
> --
> Matteo Merli
> <ma...@gmail.com>
>
> On Tue, Feb 7, 2023 at 6:49 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
> >
> > Hi all,
> >
> > There is a serious OAuth2 authentication regression [1] for all
> > existing C++ client 3.x.y releases. I see many users tend to downgrade
> > to old versions like 2.10.2. This behavior is dangerous because of the
> > CVE.
> >
> > The fix [2] is now merged, so I decided to start a 3.1.2 release ASAP,
> > though the 3.1.1 release is not formally announced yet. The Python
> > 3.1.0 release in progress and the Node.js 1.8.1 release will depend on
> > this version.
> >
> > [1] https://lists.apache.org/thread/6rrq4lj965rm0zqk9rtwwf6gcqb02220
> > [2] https://github.com/apache/pulsar-client-cpp/pull/190
> >
> > Thanks,
> > Yunze

Re: Pulsar Cpp client release 3.1.2

Posted by Matteo Merli <ma...@gmail.com>.

+1
--
Matteo Merli
<ma...@gmail.com>

On Tue, Feb 7, 2023 at 6:49 PM Yunze Xu <yz...@streamnative.io.invalid> wrote:
>
> Hi all,
>
> There is a serious OAuth2 authentication regression [1] for all
> existing C++ client 3.x.y releases. I see many users tend to downgrade
> to old versions like 2.10.2. This behavior is dangerous because of the
> CVE.
>
> The fix [2] is now merged, so I decided to start a 3.1.2 release ASAP,
> though the 3.1.1 release is not formally announced yet. The Python
> 3.1.0 release in progress and the Node.js 1.8.1 release will depend on
> this version.
>
> [1] https://lists.apache.org/thread/6rrq4lj965rm0zqk9rtwwf6gcqb02220
> [2] https://github.com/apache/pulsar-client-cpp/pull/190
>
> Thanks,
> Yunze