You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by ni...@apache.org on 2022/06/21 05:21:19 UTC

[pulsar] branch master updated: [security] Suppress CVE-2022-23712 warnings (#16110)

This is an automated email from the ASF dual-hosted git repository.

nicoloboschi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new f4a6b864f84 [security] Suppress CVE-2022-23712 warnings (#16110)
f4a6b864f84 is described below

commit f4a6b864f84ad5c403c8736ed465b6f4340d625c
Author: tison <wa...@gmail.com>
AuthorDate: Tue Jun 21 13:21:09 2022 +0800

    [security] Suppress CVE-2022-23712 warnings (#16110)
    
    * [security] Bump ES client version to 8.2.3
    
    This fixes CVE-2022-23712.
    
    Signed-off-by: tison <wa...@gmail.com>
    
    * add suppressions
    
    Signed-off-by: tison <wa...@gmail.com>
    
    * suppress exact CVE-2022-23712
    
    Signed-off-by: tison <wa...@gmail.com>
    
    * using sha1
    
    Signed-off-by: tison <wa...@gmail.com>
    
    * bump fastjson version
    
    Fixes CVE-2022-25845.
    
    Signed-off-by: tison <wa...@gmail.com>
    
    * Revert "bump fastjson version"
    
    This reverts commit 4d140adf6d9489094715a7e20d77783ce4493e90.
---
 src/owasp-dependency-check-suppressions.xml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/owasp-dependency-check-suppressions.xml b/src/owasp-dependency-check-suppressions.xml
index 4787fcb348a..1d5b8d9d2be 100644
--- a/src/owasp-dependency-check-suppressions.xml
+++ b/src/owasp-dependency-check-suppressions.xml
@@ -37,7 +37,25 @@
         <vulnerabilityName regex="true">.*</vulnerabilityName>
     </suppress>
 
-    <!-- see https://github.com/apache/pulsar/pull/14629-->
+    <!-- see https://github.com/apache/pulsar/pull/16110 -->
+    <suppress>
+        <notes><![CDATA[
+    file name: elasticsearch-java-8.1.0.jar
+    CVE-2022-23712 is only related to Elastic server.
+    ]]></notes>
+        <sha1>edf5be04cbc2eafc51540ba33f9536e788b9d60b</sha1>
+        <cve>CVE-2022-23712</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+    file name: elasticsearch-rest-client-8.1.0.jar
+    CVE-2022-23712 is only related to Elastic server.
+    ]]></notes>
+        <sha1>10e7aa09f10955a074c0a574cb699344d2745df1</sha1>
+        <cve>CVE-2022-23712</cve>
+    </suppress>
+
+    <!-- see https://github.com/apache/pulsar/pull/14629 -->
     <suppress>
         <notes><![CDATA[
    file name: kotlin-stdlib-common-1.4.32.jar