You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Dilip anand (Jira)" <ji...@apache.org> on 2023/05/16 16:34:00 UTC
[jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper latest version
Dilip anand created ZOOKEEPER-4696:
--------------------------------------
Summary: Update for Zookeeper latest version
Key: ZOOKEEPER-4696
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696
Project: ZooKeeper
Issue Type: Bug
Reporter: Dilip anand
Hi team,
We ran a scan for security vulnerability fixes,we have seen CVE's that are affected for zookeeper and version of zookeeper we are using is 3.8.0 .Here are the CVE's which are affected with zookeeper CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916 which do not have any reports in red hat website. we want to know what version of zookeeper will clear these CVEs and when it'll be released?
Regards,
Dilip
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
Re: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper latest version
Posted by Villő Szűcs <sz...@cloudera.com.INVALID>.
Hi team,
I started working on this patch. I think we need to upgrade the main
version of Jetty because all of the 9.4-based versions have CVE problems.
See here: https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server.
We should upgrade Jetty to 11.0.15, which is the latest version. For this,
we need quite a few code changes.
Jetty 10+ does not support Java8 https://www.eclipse.org/jetty/download.php,
perhaps we should drop the java8 support?
Regards,
Villo
On Fri, May 26, 2023 at 8:43 AM Andor Molnar <an...@apache.org> wrote:
> Owasp build reported the following:
>
> [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
> [ERROR] jetty-io-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-2023-
> 26049(5.3)
> [ERROR] jetty-server-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-
> 2023-26049(5.3)
>
> Thanks Ben for letting us now. Would you please kindly update the Jira
> with the listed CVEs and the affected version (3.8.1)?
>
> We'll check if these CVEs should be fixed on ZooKeeper side and if
> needed, you should expect a new release from the 3.8.x branch, since
> it's an active release branch.
>
> Andor
>
>
>
> On Fri, 2023-05-26 at 08:33 +0200, Andor Molnar wrote:
> > Hi Ben,
> >
> > Let me check this.
> > I triggered an owasp check build on Apache CI:
> >
> https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.1/7/
> >
> > Btw, Enrico, we're still having both 3.8.0 and 3.8.1 releases on the
> > web page as separate release lines. Would you mind if I submit a
> > change
> > to the webpage to remove 3.8.0?
> >
> > Not sure who I talked about it, it was long time ago.
> >
> > Regards,
> > Andor
> >
> >
> >
> >
> > On Thu, 2023-05-18 at 17:54 +0000, Ben Johnston wrote:
> > > > version of zookeeper we are using is 3.8.0
> > >
> > > The latest zookeeper release is 3.8.1 (
> > > https://github.com/apache/zookeeper/releases/tag/release-3.8.1)
> > > that
> > > included a number of bugfixes, probably some that are in your list
> > >
> > > The 3.8.1 does have a medium and low CVE that are on the jetty
> > > server. CVE-2023-26048 and CVE-2023-26049. When might the team do a
> > > release to do security fixes?
> > >
> > > Thanks,
> > >
> > > Ben Johnston, GCIH, GCFA, GPEN
> > > Application Security Engineer
> > > COFENSE
> > > o. 785-250-4412
> > > e. ben.johnston@cofense.com
> > >
> > > Connect with Cofense:
> > >
> > >
> > >
> > >
> > >
> > > From: Dilip anand (Jira) <ji...@apache.org>
> > > Date: Tuesday, May 16, 2023 at 11:34 AM
> > > To: dev@zookeeper.apache.org <de...@zookeeper.apache.org>
> > > Subject: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper
> > > latest version
> > >
> > > External Email
> > >
> > > Dilip anand created ZOOKEEPER-4696:
> > > --------------------------------------
> > >
> > > Summary: Update for Zookeeper latest version
> > > Key: ZOOKEEPER-4696
> > > URL:
> > > https://issues.apache.org/jira/browse/ZOOKEEPER-4696
> > > Project: ZooKeeper
> > > Issue Type: Bug
> > > Reporter: Dilip anand
> > >
> > >
> > > Hi team,
> > >
> > > We ran a scan for security vulnerability fixes,we have seen
> > > CVE's that are affected for zookeeper and version of zookeeper we
> > > are
> > > using is 3.8.0 .Here are the CVE's which are affected with
> > > zookeeper
> > > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-
> > > 2022-
> > > 22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-
> > > 2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-
> > > 23916 which do not have any reports in red hat website. we want to
> > > know what version of zookeeper will clear these CVEs and when it'll
> > > be released?
> > >
> > > Regards,
> > > Dilip
> > >
> > >
> > >
> > > --
> > > This message was sent by Atlassian Jira
> > > (v8.20.10#820010)
>
>
Re: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper latest version
Posted by Andor Molnar <an...@apache.org>.
Owasp build reported the following:
[ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
[ERROR] jetty-io-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-2023-
26049(5.3)
[ERROR] jetty-server-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-
2023-26049(5.3)
Thanks Ben for letting us now. Would you please kindly update the Jira
with the listed CVEs and the affected version (3.8.1)?
We'll check if these CVEs should be fixed on ZooKeeper side and if
needed, you should expect a new release from the 3.8.x branch, since
it's an active release branch.
Andor
On Fri, 2023-05-26 at 08:33 +0200, Andor Molnar wrote:
> Hi Ben,
>
> Let me check this.
> I triggered an owasp check build on Apache CI:
> https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.1/7/
>
> Btw, Enrico, we're still having both 3.8.0 and 3.8.1 releases on the
> web page as separate release lines. Would you mind if I submit a
> change
> to the webpage to remove 3.8.0?
>
> Not sure who I talked about it, it was long time ago.
>
> Regards,
> Andor
>
>
>
>
> On Thu, 2023-05-18 at 17:54 +0000, Ben Johnston wrote:
> > > version of zookeeper we are using is 3.8.0
> >
> > The latest zookeeper release is 3.8.1 (
> > https://github.com/apache/zookeeper/releases/tag/release-3.8.1)
> > that
> > included a number of bugfixes, probably some that are in your list
> >
> > The 3.8.1 does have a medium and low CVE that are on the jetty
> > server. CVE-2023-26048 and CVE-2023-26049. When might the team do a
> > release to do security fixes?
> >
> > Thanks,
> >
> > Ben Johnston, GCIH, GCFA, GPEN
> > Application Security Engineer
> > COFENSE
> > o. 785-250-4412
> > e. ben.johnston@cofense.com
> >
> > Connect with Cofense:
> >
> >
> >
> >
> >
> > From: Dilip anand (Jira) <ji...@apache.org>
> > Date: Tuesday, May 16, 2023 at 11:34 AM
> > To: dev@zookeeper.apache.org <de...@zookeeper.apache.org>
> > Subject: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper
> > latest version
> >
> > External Email
> >
> > Dilip anand created ZOOKEEPER-4696:
> > --------------------------------------
> >
> > Summary: Update for Zookeeper latest version
> > Key: ZOOKEEPER-4696
> > URL:
> > https://issues.apache.org/jira/browse/ZOOKEEPER-4696
> > Project: ZooKeeper
> > Issue Type: Bug
> > Reporter: Dilip anand
> >
> >
> > Hi team,
> >
> > We ran a scan for security vulnerability fixes,we have seen
> > CVE's that are affected for zookeeper and version of zookeeper we
> > are
> > using is 3.8.0 .Here are the CVE's which are affected with
> > zookeeper
> > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-
> > 2022-
> > 22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-
> > 2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-
> > 23916 which do not have any reports in red hat website. we want to
> > know what version of zookeeper will clear these CVEs and when it'll
> > be released?
> >
> > Regards,
> > Dilip
> >
> >
> >
> > --
> > This message was sent by Atlassian Jira
> > (v8.20.10#820010)
Re: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper latest version
Posted by Andor Molnar <an...@apache.org>.
Hi Ben,
Let me check this.
I triggered an owasp check build on Apache CI:
https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.1/7/
Btw, Enrico, we're still having both 3.8.0 and 3.8.1 releases on the
web page as separate release lines. Would you mind if I submit a change
to the webpage to remove 3.8.0?
Not sure who I talked about it, it was long time ago.
Regards,
Andor
On Thu, 2023-05-18 at 17:54 +0000, Ben Johnston wrote:
> > version of zookeeper we are using is 3.8.0
>
> The latest zookeeper release is 3.8.1 (
> https://github.com/apache/zookeeper/releases/tag/release-3.8.1) that
> included a number of bugfixes, probably some that are in your list
>
> The 3.8.1 does have a medium and low CVE that are on the jetty
> server. CVE-2023-26048 and CVE-2023-26049. When might the team do a
> release to do security fixes?
>
> Thanks,
>
> Ben Johnston, GCIH, GCFA, GPEN
> Application Security Engineer
> COFENSE
> o. 785-250-4412
> e. ben.johnston@cofense.com
>
> Connect with Cofense:
>
>
>
>
>
> From: Dilip anand (Jira) <ji...@apache.org>
> Date: Tuesday, May 16, 2023 at 11:34 AM
> To: dev@zookeeper.apache.org <de...@zookeeper.apache.org>
> Subject: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper
> latest version
>
> External Email
>
> Dilip anand created ZOOKEEPER-4696:
> --------------------------------------
>
> Summary: Update for Zookeeper latest version
> Key: ZOOKEEPER-4696
> URL:
> https://issues.apache.org/jira/browse/ZOOKEEPER-4696
> Project: ZooKeeper
> Issue Type: Bug
> Reporter: Dilip anand
>
>
> Hi team,
>
> We ran a scan for security vulnerability fixes,we have seen
> CVE's that are affected for zookeeper and version of zookeeper we are
> using is 3.8.0 .Here are the CVE's which are affected with zookeeper
> CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-
> 22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-
> 2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-
> 23916 which do not have any reports in red hat website. we want to
> know what version of zookeeper will clear these CVEs and when it'll
> be released?
>
> Regards,
> Dilip
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.20.10#820010)
Re: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper latest version
Posted by Ben Johnston <be...@cofense.com.INVALID>.
> version of zookeeper we are using is 3.8.0
The latest zookeeper release is 3.8.1 (https://github.com/apache/zookeeper/releases/tag/release-3.8.1) that included a number of bugfixes, probably some that are in your list
The 3.8.1 does have a medium and low CVE that are on the jetty server. CVE-2023-26048 and CVE-2023-26049. When might the team do a release to do security fixes?
Thanks,
Ben Johnston, GCIH, GCFA, GPEN
Application Security Engineer
COFENSE
o. 785-250-4412
e. ben.johnston@cofense.com<ma...@cofense.com>
Connect with Cofense:
[https://cofense.com/wp-content/uploads/2019/07/cofense.png]<https://cofense.com/>[https://cofense.com/wp-content/uploads/2019/06/fb.png]<https://facebook.com/cofense>[https://cofense.com/wp-content/uploads/2019/06/tw.png]<https://twitter.com/cofense>[https://cofense.com/wp-content/uploads/2019/06/li.png]<https://linkedin.com/company/cofense>[https://cofense.com/wp-content/uploads/2019/06/ig.png]<https://www.instagram.com/cofense/>[https://cofense.com/wp-content/uploads/2019/06/m.png]<https://www.themuse.com/profiles/cofense>
From: Dilip anand (Jira) <ji...@apache.org>
Date: Tuesday, May 16, 2023 at 11:34 AM
To: dev@zookeeper.apache.org <de...@zookeeper.apache.org>
Subject: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper latest version
External Email
Dilip anand created ZOOKEEPER-4696:
--------------------------------------
Summary: Update for Zookeeper latest version
Key: ZOOKEEPER-4696
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696
Project: ZooKeeper
Issue Type: Bug
Reporter: Dilip anand
Hi team,
We ran a scan for security vulnerability fixes,we have seen CVE's that are affected for zookeeper and version of zookeeper we are using is 3.8.0 .Here are the CVE's which are affected with zookeeper CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916 which do not have any reports in red hat website. we want to know what version of zookeeper will clear these CVEs and when it'll be released?
Regards,
Dilip
--
This message was sent by Atlassian Jira
(v8.20.10#820010)