You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by "abhagraw (via GitHub)" <gi...@apache.org> on 2023/03/21 06:31:35 UTC

[GitHub] [druid] abhagraw opened a new pull request, #13956: Fixing security vulnerability check errors

abhagraw opened a new pull request, #13956:
URL: https://github.com/apache/druid/pull/13956

   Fixing security vulnerability check errors.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] abhagraw closed pull request #13956: Fixing security vulnerability check errors

Posted by "abhagraw (via GitHub)" <gi...@apache.org>.

abhagraw closed pull request #13956: Fixing security vulnerability check errors
URL: https://github.com/apache/druid/pull/13956


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] AmatyaAvadhanula commented on pull request #13956: Fixing security vulnerability check errors

Posted by "AmatyaAvadhanula (via GitHub)" <gi...@apache.org>.

AmatyaAvadhanula commented on PR #13956:
URL: https://github.com/apache/druid/pull/13956#issuecomment-1480631231

   Thank you for adding the details!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] abhagraw commented on pull request #13956: Fixing security vulnerability check errors

Posted by "abhagraw (via GitHub)" <gi...@apache.org>.

abhagraw commented on PR #13956:
URL: https://github.com/apache/druid/pull/13956#issuecomment-1477527475

   Suppressing following CVEs - 
   
   [CVE-2022-45688](https://nvd.nist.gov/vuln/detail/CVE-2022-45688) - This does not affect us as we do not use XML
   ```
   A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
   ```
   
   [CVE-2020-11612](https://nvd.nist.gov/vuln/detail/CVE-2020-11612) - To suppress this need to update to netty 4 (A lot of other dependencies waiting on this)
   ```
   The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
   ```
   
   [CVE-2021-28170](https://nvd.nist.gov/vuln/detail/CVE-2021-28170) - Updated to jakarta.el 3.0.4
   ```
   In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
   ```
   
   [CVE-2023-1370](https://ubuntu.com/security/CVE-2023-1370) - Druid only parses json with expected formats.
   ```
   Json-smart is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{’ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] abhagraw commented on pull request #13956: Fixing security vulnerability check errors

Posted by "abhagraw (via GitHub)" <gi...@apache.org>.

abhagraw commented on PR #13956:
URL: https://github.com/apache/druid/pull/13956#issuecomment-1477348530

   > @abhagraw could you please add more details regarding the CVEs and why they do not affect Druid?
   
   I have added a comment for `CVE-2022-45688`.
   And for `CVE-2020-11612` - we need to update to netty4 (for which a comment was already there.)
   
   Is there any specific information you are looking for?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] abhagraw commented on pull request #13956: Fixing security vulnerability check errors

Posted by "abhagraw (via GitHub)" <gi...@apache.org>.

abhagraw commented on PR #13956:
URL: https://github.com/apache/druid/pull/13956#issuecomment-1477348718

   Closed by mistake. Reopening.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] AmatyaAvadhanula commented on pull request #13956: Fixing security vulnerability check errors

Posted by "AmatyaAvadhanula (via GitHub)" <gi...@apache.org>.

AmatyaAvadhanula commented on PR #13956:
URL: https://github.com/apache/druid/pull/13956#issuecomment-1477345958

   @abhagraw could you please add more details regarding the CVEs and why they do not affect Druid?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] AmatyaAvadhanula merged pull request #13956: Fixing security vulnerability check errors

Posted by "AmatyaAvadhanula (via GitHub)" <gi...@apache.org>.

AmatyaAvadhanula merged PR #13956:
URL: https://github.com/apache/druid/pull/13956


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org