You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apisix.apache.org by Baoyuan <ba...@gmail.com> on 2021/12/29 08:34:38 UTC
[DISCUSS] Backport CVE-2021-45232 fix code
Hi Community, when APISIX Dashboard users try to fix CVE-2021-45232, they
need to upgrade Dashboard to version 2.10.1.
Due to the Dashboard version needing to correspond to APISIX, users will
also need to consider upgrading APISIX, which may cause inconvenience to
users.
Are we considering backporting the fixed code for this vulnerability to the
previous affected version? What do you think?
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by Zeping Bai <bz...@apache.org>.
Hi, everyone.
I think it is necessary and it will help users to resolve CVE
vulnerabilities faster.
Best regards!
Zeping Bai @bzp2010
Baoyuan <ba...@gmail.com> 于2021年12月29日周三 16:35写道:
> Hi Community, when APISIX Dashboard users try to fix CVE-2021-45232, they
> need to upgrade Dashboard to version 2.10.1.
>
> Due to the Dashboard version needing to correspond to APISIX, users will
> also need to consider upgrading APISIX, which may cause inconvenience to
> users.
>
> Are we considering backporting the fixed code for this vulnerability to the
> previous affected version? What do you think?
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by JunXu Chen <ch...@apache.org>.
Thank you for posting the issue to the maillist, Baoyuan.
Since I created an issue last night, there have been problems with my
network and I have not been able to give feedback in time.
On Fri, 31 Dec 2021 at 11:11, Baoyuan <ba...@gmail.com> wrote:
> Hi, notice that the relevant issue has been created[1].
>
> Thanks to JunXu Chen!
>
> [1] https://github.com/apache/apisix-dashboard/issues/2275
>
> JunXu Chen <ch...@apache.org> 于2021年12月30日周四 14:22写道:
>
> > OK, let's create an issue in APISIX Dashboard repo and show how to
> disable
> > the two APIs and rebuild.
> >
> > On Thu, 30 Dec 2021 at 11:55, Zhiyuan Ju <ju...@apache.org> wrote:
> >
> > > It's also a good idea after consideration, disabling those 2 APIs is
> the
> > > quickest way. If users need the OpenAPI feature, they could rebuild
> > > according to build doc :)
> > >
> > > Junxu, could you please share the steps on how to disable and rebuild
> > > manager-api?
> > >
> > > Best Regards!
> > > @ Zhiyuan Ju <https://github.com/juzhiyuan>
> > >
> > >
> > > Ming Wen <we...@apache.org> 于2021年12月30日周四 10:08写道:
> > >
> > > > I don’t think we need to be compatible with so many old versions. Is
> > > there
> > > > a quick fix guide? For example, disable these two APIs
> > > >
> > > > Thanks,
> > > > Ming Wen, Apache APISIX PMC Chair
> > > > Twitter: _WenMing
> > > >
> > > >
> > > > Baoyuan <ba...@gmail.com> 于2021年12月30日周四 10:04写道:
> > > >
> > > > > Hi, after confirming with JunXu Chen that the vulnerability was
> > > > introduced
> > > > > in version 2.7.0.
> > > > >
> > > > > We need to cherry-pick the fixed commit[1] to the appropriate
> release
> > > > > branch to re-release the fixed version.
> > > > >
> > > > > Affected versions are v2.9.0, v2.8, v2.7.1, these versions need to
> be
> > > > > released with corresponding fixes: v2.9.1, v2.8.1, v2.7.2.
> > > > >
> > > > > I will submit the corresponding fix PRs.
> > > > >
> > > > > [1]
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/apisix-dashboard/commit/b565f7cd090e9ee2043fbb726fbaae01737f83cd
> > > > >
> > > > > Zhiyuan Ju <ju...@apache.org> 于2021年12月30日周四 09:13写道:
> > > > >
> > > > > > Hi Yuan Bao,
> > > > > >
> > > > > > According to this mailing list's feedbacks, we need to backport
> > that
> > > > fix
> > > > > to
> > > > > > the previous version, could you help to do that? And PMC could
> help
> > > you
> > > > > to
> > > > > > release them.
> > > > > >
> > > > > > Best Regards!
> > > > > > @ Zhiyuan Ju <https://github.com/juzhiyuan>
> > > > > >
> > > > > >
> > > > > > okaybase <ok...@apache.org> 于2021年12月29日周三 22:49写道:
> > > > > >
> > > > > > > Support backport the fix +1
> > > > > > > This will help users to quickly improve the security of the
> > > > Dashboard.
> > > > > > >
> > > > > > > JunXu Chen <ch...@apache.org> 于2021年12月29日周三 20:48写道:
> > > > > > >
> > > > > > > > Support backport the fix +1
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, 29 Dec 2021 at 17:30, Tsangleslie <
> > > leslie.tsang@icloud.com
> > > > > > > > .invalid>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Agreed to backport the fix. For users using APISIX in prod
> > > > > > environment,
> > > > > > > > > It will be a long day to upgrade both APISIX and APISIX
> > > > dashboard.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <
> > juzhiyuan@apache.org
> > > >
> > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > I also support back port this fix to previous Dashboard,
> or
> > > > > > provide a
> > > > > > > > > quick
> > > > > > > > > > way for users to disable those 2 Unauthorized APIs
> > > > > > > > > >
> > > > > > > > > > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> > > > > > > > > >
> > > > > > > > > >> Hi Community, when APISIX Dashboard users try to fix
> > > > > > CVE-2021-45232,
> > > > > > > > > they
> > > > > > > > > >> need to upgrade Dashboard to version 2.10.1.
> > > > > > > > > >>
> > > > > > > > > >> Due to the Dashboard version needing to correspond to
> > > APISIX,
> > > > > > users
> > > > > > > > will
> > > > > > > > > >> also need to consider upgrading APISIX, which may cause
> > > > > > > inconvenience
> > > > > > > > to
> > > > > > > > > >> users.
> > > > > > > > > >>
> > > > > > > > > >> Are we considering backporting the fixed code for this
> > > > > > vulnerability
> > > > > > > > to
> > > > > > > > > the
> > > > > > > > > >> previous affected version? What do you think?
> > > > > > > > > >>
> > > > > > > > > > --
> > > > > > > > > > 来自 琚致远
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by Baoyuan <ba...@gmail.com>.
Hi, notice that the relevant issue has been created[1].
Thanks to JunXu Chen!
[1] https://github.com/apache/apisix-dashboard/issues/2275
JunXu Chen <ch...@apache.org> 于2021年12月30日周四 14:22写道:
> OK, let's create an issue in APISIX Dashboard repo and show how to disable
> the two APIs and rebuild.
>
> On Thu, 30 Dec 2021 at 11:55, Zhiyuan Ju <ju...@apache.org> wrote:
>
> > It's also a good idea after consideration, disabling those 2 APIs is the
> > quickest way. If users need the OpenAPI feature, they could rebuild
> > according to build doc :)
> >
> > Junxu, could you please share the steps on how to disable and rebuild
> > manager-api?
> >
> > Best Regards!
> > @ Zhiyuan Ju <https://github.com/juzhiyuan>
> >
> >
> > Ming Wen <we...@apache.org> 于2021年12月30日周四 10:08写道:
> >
> > > I don’t think we need to be compatible with so many old versions. Is
> > there
> > > a quick fix guide? For example, disable these two APIs
> > >
> > > Thanks,
> > > Ming Wen, Apache APISIX PMC Chair
> > > Twitter: _WenMing
> > >
> > >
> > > Baoyuan <ba...@gmail.com> 于2021年12月30日周四 10:04写道:
> > >
> > > > Hi, after confirming with JunXu Chen that the vulnerability was
> > > introduced
> > > > in version 2.7.0.
> > > >
> > > > We need to cherry-pick the fixed commit[1] to the appropriate release
> > > > branch to re-release the fixed version.
> > > >
> > > > Affected versions are v2.9.0, v2.8, v2.7.1, these versions need to be
> > > > released with corresponding fixes: v2.9.1, v2.8.1, v2.7.2.
> > > >
> > > > I will submit the corresponding fix PRs.
> > > >
> > > > [1]
> > > >
> > > >
> > >
> >
> https://github.com/apache/apisix-dashboard/commit/b565f7cd090e9ee2043fbb726fbaae01737f83cd
> > > >
> > > > Zhiyuan Ju <ju...@apache.org> 于2021年12月30日周四 09:13写道:
> > > >
> > > > > Hi Yuan Bao,
> > > > >
> > > > > According to this mailing list's feedbacks, we need to backport
> that
> > > fix
> > > > to
> > > > > the previous version, could you help to do that? And PMC could help
> > you
> > > > to
> > > > > release them.
> > > > >
> > > > > Best Regards!
> > > > > @ Zhiyuan Ju <https://github.com/juzhiyuan>
> > > > >
> > > > >
> > > > > okaybase <ok...@apache.org> 于2021年12月29日周三 22:49写道:
> > > > >
> > > > > > Support backport the fix +1
> > > > > > This will help users to quickly improve the security of the
> > > Dashboard.
> > > > > >
> > > > > > JunXu Chen <ch...@apache.org> 于2021年12月29日周三 20:48写道:
> > > > > >
> > > > > > > Support backport the fix +1
> > > > > > >
> > > > > > >
> > > > > > > On Wed, 29 Dec 2021 at 17:30, Tsangleslie <
> > leslie.tsang@icloud.com
> > > > > > > .invalid>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Agreed to backport the fix. For users using APISIX in prod
> > > > > environment,
> > > > > > > > It will be a long day to upgrade both APISIX and APISIX
> > > dashboard.
> > > > > > > >
> > > > > > > >
> > > > > > > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <
> juzhiyuan@apache.org
> > >
> > > > > wrote:
> > > > > > > > >
> > > > > > > > > I also support back port this fix to previous Dashboard, or
> > > > > provide a
> > > > > > > > quick
> > > > > > > > > way for users to disable those 2 Unauthorized APIs
> > > > > > > > >
> > > > > > > > > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> > > > > > > > >
> > > > > > > > >> Hi Community, when APISIX Dashboard users try to fix
> > > > > CVE-2021-45232,
> > > > > > > > they
> > > > > > > > >> need to upgrade Dashboard to version 2.10.1.
> > > > > > > > >>
> > > > > > > > >> Due to the Dashboard version needing to correspond to
> > APISIX,
> > > > > users
> > > > > > > will
> > > > > > > > >> also need to consider upgrading APISIX, which may cause
> > > > > > inconvenience
> > > > > > > to
> > > > > > > > >> users.
> > > > > > > > >>
> > > > > > > > >> Are we considering backporting the fixed code for this
> > > > > vulnerability
> > > > > > > to
> > > > > > > > the
> > > > > > > > >> previous affected version? What do you think?
> > > > > > > > >>
> > > > > > > > > --
> > > > > > > > > 来自 琚致远
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by JunXu Chen <ch...@apache.org>.
OK, let's create an issue in APISIX Dashboard repo and show how to disable
the two APIs and rebuild.
On Thu, 30 Dec 2021 at 11:55, Zhiyuan Ju <ju...@apache.org> wrote:
> It's also a good idea after consideration, disabling those 2 APIs is the
> quickest way. If users need the OpenAPI feature, they could rebuild
> according to build doc :)
>
> Junxu, could you please share the steps on how to disable and rebuild
> manager-api?
>
> Best Regards!
> @ Zhiyuan Ju <https://github.com/juzhiyuan>
>
>
> Ming Wen <we...@apache.org> 于2021年12月30日周四 10:08写道:
>
> > I don’t think we need to be compatible with so many old versions. Is
> there
> > a quick fix guide? For example, disable these two APIs
> >
> > Thanks,
> > Ming Wen, Apache APISIX PMC Chair
> > Twitter: _WenMing
> >
> >
> > Baoyuan <ba...@gmail.com> 于2021年12月30日周四 10:04写道:
> >
> > > Hi, after confirming with JunXu Chen that the vulnerability was
> > introduced
> > > in version 2.7.0.
> > >
> > > We need to cherry-pick the fixed commit[1] to the appropriate release
> > > branch to re-release the fixed version.
> > >
> > > Affected versions are v2.9.0, v2.8, v2.7.1, these versions need to be
> > > released with corresponding fixes: v2.9.1, v2.8.1, v2.7.2.
> > >
> > > I will submit the corresponding fix PRs.
> > >
> > > [1]
> > >
> > >
> >
> https://github.com/apache/apisix-dashboard/commit/b565f7cd090e9ee2043fbb726fbaae01737f83cd
> > >
> > > Zhiyuan Ju <ju...@apache.org> 于2021年12月30日周四 09:13写道:
> > >
> > > > Hi Yuan Bao,
> > > >
> > > > According to this mailing list's feedbacks, we need to backport that
> > fix
> > > to
> > > > the previous version, could you help to do that? And PMC could help
> you
> > > to
> > > > release them.
> > > >
> > > > Best Regards!
> > > > @ Zhiyuan Ju <https://github.com/juzhiyuan>
> > > >
> > > >
> > > > okaybase <ok...@apache.org> 于2021年12月29日周三 22:49写道:
> > > >
> > > > > Support backport the fix +1
> > > > > This will help users to quickly improve the security of the
> > Dashboard.
> > > > >
> > > > > JunXu Chen <ch...@apache.org> 于2021年12月29日周三 20:48写道:
> > > > >
> > > > > > Support backport the fix +1
> > > > > >
> > > > > >
> > > > > > On Wed, 29 Dec 2021 at 17:30, Tsangleslie <
> leslie.tsang@icloud.com
> > > > > > .invalid>
> > > > > > wrote:
> > > > > >
> > > > > > > Agreed to backport the fix. For users using APISIX in prod
> > > > environment,
> > > > > > > It will be a long day to upgrade both APISIX and APISIX
> > dashboard.
> > > > > > >
> > > > > > >
> > > > > > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <juzhiyuan@apache.org
> >
> > > > wrote:
> > > > > > > >
> > > > > > > > I also support back port this fix to previous Dashboard, or
> > > > provide a
> > > > > > > quick
> > > > > > > > way for users to disable those 2 Unauthorized APIs
> > > > > > > >
> > > > > > > > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> > > > > > > >
> > > > > > > >> Hi Community, when APISIX Dashboard users try to fix
> > > > CVE-2021-45232,
> > > > > > > they
> > > > > > > >> need to upgrade Dashboard to version 2.10.1.
> > > > > > > >>
> > > > > > > >> Due to the Dashboard version needing to correspond to
> APISIX,
> > > > users
> > > > > > will
> > > > > > > >> also need to consider upgrading APISIX, which may cause
> > > > > inconvenience
> > > > > > to
> > > > > > > >> users.
> > > > > > > >>
> > > > > > > >> Are we considering backporting the fixed code for this
> > > > vulnerability
> > > > > > to
> > > > > > > the
> > > > > > > >> previous affected version? What do you think?
> > > > > > > >>
> > > > > > > > --
> > > > > > > > 来自 琚致远
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by Zhiyuan Ju <ju...@apache.org>.
It's also a good idea after consideration, disabling those 2 APIs is the
quickest way. If users need the OpenAPI feature, they could rebuild
according to build doc :)
Junxu, could you please share the steps on how to disable and rebuild
manager-api?
Best Regards!
@ Zhiyuan Ju <https://github.com/juzhiyuan>
Ming Wen <we...@apache.org> 于2021年12月30日周四 10:08写道:
> I don’t think we need to be compatible with so many old versions. Is there
> a quick fix guide? For example, disable these two APIs
>
> Thanks,
> Ming Wen, Apache APISIX PMC Chair
> Twitter: _WenMing
>
>
> Baoyuan <ba...@gmail.com> 于2021年12月30日周四 10:04写道:
>
> > Hi, after confirming with JunXu Chen that the vulnerability was
> introduced
> > in version 2.7.0.
> >
> > We need to cherry-pick the fixed commit[1] to the appropriate release
> > branch to re-release the fixed version.
> >
> > Affected versions are v2.9.0, v2.8, v2.7.1, these versions need to be
> > released with corresponding fixes: v2.9.1, v2.8.1, v2.7.2.
> >
> > I will submit the corresponding fix PRs.
> >
> > [1]
> >
> >
> https://github.com/apache/apisix-dashboard/commit/b565f7cd090e9ee2043fbb726fbaae01737f83cd
> >
> > Zhiyuan Ju <ju...@apache.org> 于2021年12月30日周四 09:13写道:
> >
> > > Hi Yuan Bao,
> > >
> > > According to this mailing list's feedbacks, we need to backport that
> fix
> > to
> > > the previous version, could you help to do that? And PMC could help you
> > to
> > > release them.
> > >
> > > Best Regards!
> > > @ Zhiyuan Ju <https://github.com/juzhiyuan>
> > >
> > >
> > > okaybase <ok...@apache.org> 于2021年12月29日周三 22:49写道:
> > >
> > > > Support backport the fix +1
> > > > This will help users to quickly improve the security of the
> Dashboard.
> > > >
> > > > JunXu Chen <ch...@apache.org> 于2021年12月29日周三 20:48写道:
> > > >
> > > > > Support backport the fix +1
> > > > >
> > > > >
> > > > > On Wed, 29 Dec 2021 at 17:30, Tsangleslie <leslie.tsang@icloud.com
> > > > > .invalid>
> > > > > wrote:
> > > > >
> > > > > > Agreed to backport the fix. For users using APISIX in prod
> > > environment,
> > > > > > It will be a long day to upgrade both APISIX and APISIX
> dashboard.
> > > > > >
> > > > > >
> > > > > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <ju...@apache.org>
> > > wrote:
> > > > > > >
> > > > > > > I also support back port this fix to previous Dashboard, or
> > > provide a
> > > > > > quick
> > > > > > > way for users to disable those 2 Unauthorized APIs
> > > > > > >
> > > > > > > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> > > > > > >
> > > > > > >> Hi Community, when APISIX Dashboard users try to fix
> > > CVE-2021-45232,
> > > > > > they
> > > > > > >> need to upgrade Dashboard to version 2.10.1.
> > > > > > >>
> > > > > > >> Due to the Dashboard version needing to correspond to APISIX,
> > > users
> > > > > will
> > > > > > >> also need to consider upgrading APISIX, which may cause
> > > > inconvenience
> > > > > to
> > > > > > >> users.
> > > > > > >>
> > > > > > >> Are we considering backporting the fixed code for this
> > > vulnerability
> > > > > to
> > > > > > the
> > > > > > >> previous affected version? What do you think?
> > > > > > >>
> > > > > > > --
> > > > > > > 来自 琚致远
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by Ming Wen <we...@apache.org>.
I don’t think we need to be compatible with so many old versions. Is there
a quick fix guide? For example, disable these two APIs
Thanks,
Ming Wen, Apache APISIX PMC Chair
Twitter: _WenMing
Baoyuan <ba...@gmail.com> 于2021年12月30日周四 10:04写道:
> Hi, after confirming with JunXu Chen that the vulnerability was introduced
> in version 2.7.0.
>
> We need to cherry-pick the fixed commit[1] to the appropriate release
> branch to re-release the fixed version.
>
> Affected versions are v2.9.0, v2.8, v2.7.1, these versions need to be
> released with corresponding fixes: v2.9.1, v2.8.1, v2.7.2.
>
> I will submit the corresponding fix PRs.
>
> [1]
>
> https://github.com/apache/apisix-dashboard/commit/b565f7cd090e9ee2043fbb726fbaae01737f83cd
>
> Zhiyuan Ju <ju...@apache.org> 于2021年12月30日周四 09:13写道:
>
> > Hi Yuan Bao,
> >
> > According to this mailing list's feedbacks, we need to backport that fix
> to
> > the previous version, could you help to do that? And PMC could help you
> to
> > release them.
> >
> > Best Regards!
> > @ Zhiyuan Ju <https://github.com/juzhiyuan>
> >
> >
> > okaybase <ok...@apache.org> 于2021年12月29日周三 22:49写道:
> >
> > > Support backport the fix +1
> > > This will help users to quickly improve the security of the Dashboard.
> > >
> > > JunXu Chen <ch...@apache.org> 于2021年12月29日周三 20:48写道:
> > >
> > > > Support backport the fix +1
> > > >
> > > >
> > > > On Wed, 29 Dec 2021 at 17:30, Tsangleslie <leslie.tsang@icloud.com
> > > > .invalid>
> > > > wrote:
> > > >
> > > > > Agreed to backport the fix. For users using APISIX in prod
> > environment,
> > > > > It will be a long day to upgrade both APISIX and APISIX dashboard.
> > > > >
> > > > >
> > > > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <ju...@apache.org>
> > wrote:
> > > > > >
> > > > > > I also support back port this fix to previous Dashboard, or
> > provide a
> > > > > quick
> > > > > > way for users to disable those 2 Unauthorized APIs
> > > > > >
> > > > > > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> > > > > >
> > > > > >> Hi Community, when APISIX Dashboard users try to fix
> > CVE-2021-45232,
> > > > > they
> > > > > >> need to upgrade Dashboard to version 2.10.1.
> > > > > >>
> > > > > >> Due to the Dashboard version needing to correspond to APISIX,
> > users
> > > > will
> > > > > >> also need to consider upgrading APISIX, which may cause
> > > inconvenience
> > > > to
> > > > > >> users.
> > > > > >>
> > > > > >> Are we considering backporting the fixed code for this
> > vulnerability
> > > > to
> > > > > the
> > > > > >> previous affected version? What do you think?
> > > > > >>
> > > > > > --
> > > > > > 来自 琚致远
> > > > >
> > > > >
> > > >
> > >
> >
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by Baoyuan <ba...@gmail.com>.
Hi, after confirming with JunXu Chen that the vulnerability was introduced
in version 2.7.0.
We need to cherry-pick the fixed commit[1] to the appropriate release
branch to re-release the fixed version.
Affected versions are v2.9.0, v2.8, v2.7.1, these versions need to be
released with corresponding fixes: v2.9.1, v2.8.1, v2.7.2.
I will submit the corresponding fix PRs.
[1]
https://github.com/apache/apisix-dashboard/commit/b565f7cd090e9ee2043fbb726fbaae01737f83cd
Zhiyuan Ju <ju...@apache.org> 于2021年12月30日周四 09:13写道:
> Hi Yuan Bao,
>
> According to this mailing list's feedbacks, we need to backport that fix to
> the previous version, could you help to do that? And PMC could help you to
> release them.
>
> Best Regards!
> @ Zhiyuan Ju <https://github.com/juzhiyuan>
>
>
> okaybase <ok...@apache.org> 于2021年12月29日周三 22:49写道:
>
> > Support backport the fix +1
> > This will help users to quickly improve the security of the Dashboard.
> >
> > JunXu Chen <ch...@apache.org> 于2021年12月29日周三 20:48写道:
> >
> > > Support backport the fix +1
> > >
> > >
> > > On Wed, 29 Dec 2021 at 17:30, Tsangleslie <leslie.tsang@icloud.com
> > > .invalid>
> > > wrote:
> > >
> > > > Agreed to backport the fix. For users using APISIX in prod
> environment,
> > > > It will be a long day to upgrade both APISIX and APISIX dashboard.
> > > >
> > > >
> > > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <ju...@apache.org>
> wrote:
> > > > >
> > > > > I also support back port this fix to previous Dashboard, or
> provide a
> > > > quick
> > > > > way for users to disable those 2 Unauthorized APIs
> > > > >
> > > > > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> > > > >
> > > > >> Hi Community, when APISIX Dashboard users try to fix
> CVE-2021-45232,
> > > > they
> > > > >> need to upgrade Dashboard to version 2.10.1.
> > > > >>
> > > > >> Due to the Dashboard version needing to correspond to APISIX,
> users
> > > will
> > > > >> also need to consider upgrading APISIX, which may cause
> > inconvenience
> > > to
> > > > >> users.
> > > > >>
> > > > >> Are we considering backporting the fixed code for this
> vulnerability
> > > to
> > > > the
> > > > >> previous affected version? What do you think?
> > > > >>
> > > > > --
> > > > > 来自 琚致远
> > > >
> > > >
> > >
> >
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by Qi Guo <gu...@gmail.com>.
Support backport the fix +1
This will be user friendly!
Zhiyuan Ju <ju...@apache.org> 于2021年12月30日周四 09:13写道:
> Hi Yuan Bao,
>
> According to this mailing list's feedbacks, we need to backport that fix to
> the previous version, could you help to do that? And PMC could help you to
> release them.
>
> Best Regards!
> @ Zhiyuan Ju <https://github.com/juzhiyuan>
>
>
> okaybase <ok...@apache.org> 于2021年12月29日周三 22:49写道:
>
> > Support backport the fix +1
> > This will help users to quickly improve the security of the Dashboard.
> >
> > JunXu Chen <ch...@apache.org> 于2021年12月29日周三 20:48写道:
> >
> > > Support backport the fix +1
> > >
> > >
> > > On Wed, 29 Dec 2021 at 17:30, Tsangleslie <leslie.tsang@icloud.com
> > > .invalid>
> > > wrote:
> > >
> > > > Agreed to backport the fix. For users using APISIX in prod
> environment,
> > > > It will be a long day to upgrade both APISIX and APISIX dashboard.
> > > >
> > > >
> > > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <ju...@apache.org>
> wrote:
> > > > >
> > > > > I also support back port this fix to previous Dashboard, or
> provide a
> > > > quick
> > > > > way for users to disable those 2 Unauthorized APIs
> > > > >
> > > > > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> > > > >
> > > > >> Hi Community, when APISIX Dashboard users try to fix
> CVE-2021-45232,
> > > > they
> > > > >> need to upgrade Dashboard to version 2.10.1.
> > > > >>
> > > > >> Due to the Dashboard version needing to correspond to APISIX,
> users
> > > will
> > > > >> also need to consider upgrading APISIX, which may cause
> > inconvenience
> > > to
> > > > >> users.
> > > > >>
> > > > >> Are we considering backporting the fixed code for this
> vulnerability
> > > to
> > > > the
> > > > >> previous affected version? What do you think?
> > > > >>
> > > > > --
> > > > > 来自 琚致远
> > > >
> > > >
> > >
> >
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by Zhiyuan Ju <ju...@apache.org>.
Hi Yuan Bao,
According to this mailing list's feedbacks, we need to backport that fix to
the previous version, could you help to do that? And PMC could help you to
release them.
Best Regards!
@ Zhiyuan Ju <https://github.com/juzhiyuan>
okaybase <ok...@apache.org> 于2021年12月29日周三 22:49写道:
> Support backport the fix +1
> This will help users to quickly improve the security of the Dashboard.
>
> JunXu Chen <ch...@apache.org> 于2021年12月29日周三 20:48写道:
>
> > Support backport the fix +1
> >
> >
> > On Wed, 29 Dec 2021 at 17:30, Tsangleslie <leslie.tsang@icloud.com
> > .invalid>
> > wrote:
> >
> > > Agreed to backport the fix. For users using APISIX in prod environment,
> > > It will be a long day to upgrade both APISIX and APISIX dashboard.
> > >
> > >
> > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <ju...@apache.org> wrote:
> > > >
> > > > I also support back port this fix to previous Dashboard, or provide a
> > > quick
> > > > way for users to disable those 2 Unauthorized APIs
> > > >
> > > > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> > > >
> > > >> Hi Community, when APISIX Dashboard users try to fix CVE-2021-45232,
> > > they
> > > >> need to upgrade Dashboard to version 2.10.1.
> > > >>
> > > >> Due to the Dashboard version needing to correspond to APISIX, users
> > will
> > > >> also need to consider upgrading APISIX, which may cause
> inconvenience
> > to
> > > >> users.
> > > >>
> > > >> Are we considering backporting the fixed code for this vulnerability
> > to
> > > the
> > > >> previous affected version? What do you think?
> > > >>
> > > > --
> > > > 来自 琚致远
> > >
> > >
> >
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by okaybase <ok...@apache.org>.
Support backport the fix +1
This will help users to quickly improve the security of the Dashboard.
JunXu Chen <ch...@apache.org> 于2021年12月29日周三 20:48写道:
> Support backport the fix +1
>
>
> On Wed, 29 Dec 2021 at 17:30, Tsangleslie <leslie.tsang@icloud.com
> .invalid>
> wrote:
>
> > Agreed to backport the fix. For users using APISIX in prod environment,
> > It will be a long day to upgrade both APISIX and APISIX dashboard.
> >
> >
> > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <ju...@apache.org> wrote:
> > >
> > > I also support back port this fix to previous Dashboard, or provide a
> > quick
> > > way for users to disable those 2 Unauthorized APIs
> > >
> > > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> > >
> > >> Hi Community, when APISIX Dashboard users try to fix CVE-2021-45232,
> > they
> > >> need to upgrade Dashboard to version 2.10.1.
> > >>
> > >> Due to the Dashboard version needing to correspond to APISIX, users
> will
> > >> also need to consider upgrading APISIX, which may cause inconvenience
> to
> > >> users.
> > >>
> > >> Are we considering backporting the fixed code for this vulnerability
> to
> > the
> > >> previous affected version? What do you think?
> > >>
> > > --
> > > 来自 琚致远
> >
> >
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by JunXu Chen <ch...@apache.org>.
Support backport the fix +1
On Wed, 29 Dec 2021 at 17:30, Tsangleslie <le...@icloud.com.invalid>
wrote:
> Agreed to backport the fix. For users using APISIX in prod environment,
> It will be a long day to upgrade both APISIX and APISIX dashboard.
>
>
> > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <ju...@apache.org> wrote:
> >
> > I also support back port this fix to previous Dashboard, or provide a
> quick
> > way for users to disable those 2 Unauthorized APIs
> >
> > Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> >
> >> Hi Community, when APISIX Dashboard users try to fix CVE-2021-45232,
> they
> >> need to upgrade Dashboard to version 2.10.1.
> >>
> >> Due to the Dashboard version needing to correspond to APISIX, users will
> >> also need to consider upgrading APISIX, which may cause inconvenience to
> >> users.
> >>
> >> Are we considering backporting the fixed code for this vulnerability to
> the
> >> previous affected version? What do you think?
> >>
> > --
> > 来自 琚致远
>
>
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by Tsangleslie <le...@icloud.com.INVALID>.
Agreed to backport the fix. For users using APISIX in prod environment,
It will be a long day to upgrade both APISIX and APISIX dashboard.
> On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <ju...@apache.org> wrote:
>
> I also support back port this fix to previous Dashboard, or provide a quick
> way for users to disable those 2 Unauthorized APIs
>
> Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
>
>> Hi Community, when APISIX Dashboard users try to fix CVE-2021-45232, they
>> need to upgrade Dashboard to version 2.10.1.
>>
>> Due to the Dashboard version needing to correspond to APISIX, users will
>> also need to consider upgrading APISIX, which may cause inconvenience to
>> users.
>>
>> Are we considering backporting the fixed code for this vulnerability to the
>> previous affected version? What do you think?
>>
> --
> 来自 琚致远
Re: [DISCUSS] Backport CVE-2021-45232 fix code
Posted by Zhiyuan Ju <ju...@apache.org>.
I also support back port this fix to previous Dashboard, or provide a quick
way for users to disable those 2 Unauthorized APIs
Baoyuan <ba...@gmail.com>于2021年12月29日 周三下午4:35写道:
> Hi Community, when APISIX Dashboard users try to fix CVE-2021-45232, they
> need to upgrade Dashboard to version 2.10.1.
>
> Due to the Dashboard version needing to correspond to APISIX, users will
> also need to consider upgrading APISIX, which may cause inconvenience to
> users.
>
> Are we considering backporting the fixed code for this vulnerability to the
> previous affected version? What do you think?
>
--
来自 琚致远