You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/12/06 14:28:26 UTC
[GitHub] [pulsar] timmyyuan opened a new issue #13152: Update the vulnerable packages in pulsar-all image
timmyyuan opened a new issue #13152:
URL: https://github.com/apache/pulsar/issues/13152
**Describe the bug**
Currently, the pulsar-all image has many CVEs due to dependency packages. We can list them by using image scanners such as [grype](https://github.com/anchore/grype):
```
PyYAML 5.3.1 5.4 GHSA-8q59-q68h-6hv4 Critical
com.typesafe.netty-netty-reactive-streams 2.0.4 CVE-2019-20444 Critical
com.typesafe.netty-netty-reactive-streams 2.0.4 CVE-2019-20445 Critical
maven-aether-provider 3.0.5 CVE-2021-26291 Critical
maven-artifact 3.0.5 CVE-2021-26291 Critical
maven-compat 3.0.5 CVE-2021-26291 Critical
maven-core 3.0.5 CVE-2021-26291 Critical
maven-embedder 3.0.5 CVE-2021-26291 Critical
maven-model 3.0.5 CVE-2021-26291 Critical
maven-model-builder 3.0.5 CVE-2021-26291 Critical
maven-repository-metadata 3.0.5 CVE-2021-26291 Critical
maven-settings 3.0.5 CVE-2021-26291 Critical
maven-settings-builder 3.0.5 CVE-2021-26291 Critical
netty 3.10.6.Final CVE-2019-20444 Critical
netty 3.10.6.Final CVE-2019-20445 Critical
netty-reactive-streams 2.0.4 CVE-2019-20444 Critical
netty-reactive-streams 2.0.4 CVE-2019-20445 Critical
org.apache.logging.log4j-log4j 1.2-api-2.14.0 CVE-2019-17571 Critical
```
**To Reproduce**
```
$ docker pull apachepulsar/pulsar-all:latest
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
$ grype apachepulsar/pulsar-all:latest | grep Critical
```
**Expected behavior**
No critical CVE exists here
**Additional context**
Most of CVEs above are introduced by `presto` and for users do not need pulsar-sql, we can simply remove `presto` from pulsar-all image. But the log4j package yet has no corresponding fix in latest 2.14.x. I think we need to upgrade it to a CVE-free version.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] timmyyuan commented on issue #13152: [Security] Upgrade vulnerable packages in the pulsar-all image
Posted by GitBox <gi...@apache.org>.
timmyyuan commented on issue #13152:
URL: https://github.com/apache/pulsar/issues/13152#issuecomment-999273739
@TIBCOeddie FYI: https://github.com/apache/pulsar/pull/13392
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] TIBCOeddie commented on issue #13152: [Security] Upgrade vulnerable packages in the pulsar-all image
Posted by GitBox <gi...@apache.org>.
TIBCOeddie commented on issue #13152:
URL: https://github.com/apache/pulsar/issues/13152#issuecomment-998888736
from https://hub.docker.com/r/apachepulsar/pulsar/tags I see nothing updated ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] timmyyuan commented on issue #13152: [Security] Upgrade vulnerable packages in the pulsar-all image
Posted by GitBox <gi...@apache.org>.
timmyyuan commented on issue #13152:
URL: https://github.com/apache/pulsar/issues/13152#issuecomment-998428929
I think this issue should be closed since we have updated log4j to 2.17+
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] TIBCOeddie commented on issue #13152: [Security] Upgrade vulnerable packages in the pulsar-all image
Posted by GitBox <gi...@apache.org>.
TIBCOeddie commented on issue #13152:
URL: https://github.com/apache/pulsar/issues/13152#issuecomment-998195200
In light of all the new CVEs with log4j please ensure a newly updated image is posted with log4j 2.17+ (at time of writing)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] timmyyuan closed issue #13152: [Security] Upgrade vulnerable packages in the pulsar-all image
Posted by GitBox <gi...@apache.org>.
timmyyuan closed issue #13152:
URL: https://github.com/apache/pulsar/issues/13152
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org