You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by ni...@apache.org on 2022/06/21 05:21:19 UTC
[pulsar] branch master updated: [security] Suppress CVE-2022-23712 warnings (#16110)
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new f4a6b864f84 [security] Suppress CVE-2022-23712 warnings (#16110)
f4a6b864f84 is described below
commit f4a6b864f84ad5c403c8736ed465b6f4340d625c
Author: tison <wa...@gmail.com>
AuthorDate: Tue Jun 21 13:21:09 2022 +0800
[security] Suppress CVE-2022-23712 warnings (#16110)
* [security] Bump ES client version to 8.2.3
This fixes CVE-2022-23712.
Signed-off-by: tison <wa...@gmail.com>
* add suppressions
Signed-off-by: tison <wa...@gmail.com>
* suppress exact CVE-2022-23712
Signed-off-by: tison <wa...@gmail.com>
* using sha1
Signed-off-by: tison <wa...@gmail.com>
* bump fastjson version
Fixes CVE-2022-25845.
Signed-off-by: tison <wa...@gmail.com>
* Revert "bump fastjson version"
This reverts commit 4d140adf6d9489094715a7e20d77783ce4493e90.
---
src/owasp-dependency-check-suppressions.xml | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index 4787fcb348a..1d5b8d9d2be 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -37,7 +37,25 @@
<vulnerabilityName regex="true">.*</vulnerabilityName>
</suppress>
- <!-- see https://github.com/apache/pulsar/pull/14629-->
+ <!-- see https://github.com/apache/pulsar/pull/16110 -->
+ <suppress>
+ <notes><![CDATA[
+ file name: elasticsearch-java-8.1.0.jar
+ CVE-2022-23712 is only related to Elastic server.
+ ]]></notes>
+ <sha1>edf5be04cbc2eafc51540ba33f9536e788b9d60b</sha1>
+ <cve>CVE-2022-23712</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: elasticsearch-rest-client-8.1.0.jar
+ CVE-2022-23712 is only related to Elastic server.
+ ]]></notes>
+ <sha1>10e7aa09f10955a074c0a574cb699344d2745df1</sha1>
+ <cve>CVE-2022-23712</cve>
+ </suppress>
+
+ <!-- see https://github.com/apache/pulsar/pull/14629 -->
<suppress>
<notes><![CDATA[
file name: kotlin-stdlib-common-1.4.32.jar