You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/09/14 19:02:40 UTC

[GitHub] [pulsar] klwilson227 opened a new issue #8061: CVE-2017-14063

klwilson227 opened a new issue #8061:
URL: https://github.com/apache/pulsar/issues/8061


   **Describe the bug**
   Issue path: /pulsar/lib/presto/lib/async-http-client-1.9.40.jar _nl_ Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a "?" character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
   
   Reference Info:
   
   https://nvd.nist.gov/vuln/detail/CVE-2017-14063
   
   Severity Rating: 7.5 High
   
   **To Reproduce**
   STAT CVE scan and report of pulsar-core docker image. 
   
   **Expected behavior**
   Expect no HIGH CVE's to be reported.
   
   **Additional context**
   This appears to be a issue in the pulsar-sql/pulsar-presto-distribution/pom.xml which points to the previous com.ning version of async-http-client. Upgrading the pom.xml to point to org.asynchttpclient:async-http-client:2.12.1 same as the high level pom may resolve the issue. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] jiazhai closed issue #8061: CVE-2017-14063

Posted by GitBox <gi...@apache.org>.

jiazhai closed issue #8061:
URL: https://github.com/apache/pulsar/issues/8061


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] jiazhai closed issue #8061: CVE-2017-14063

Posted by GitBox <gi...@apache.org>.

jiazhai closed issue #8061:
URL: https://github.com/apache/pulsar/issues/8061


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org