You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@linkis.apache.org by GitBox <gi...@apache.org> on 2022/07/01 13:27:12 UTC

[GitHub] [incubator-linkis] duhanmin opened a new pull request, #2397: create temp directory and RCE

duhanmin opened a new pull request, #2397:
URL: https://github.com/apache/incubator-linkis/pull/2397

   https://github.com/spring-projects/spring-framework/issues/27092
   1 . SynchronossPartHttpMessageReader should only create temp directory when needed 
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
   2. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
   
   ### What is the purpose of the change
   (For example: EngineConn-Core defines the the abstractions and interfaces of the EngineConn core functions.
   The Engine Service in Linkis 0.x is refactored, EngineConn will handle the engine connection and session management.
   Related issues: #590. )
   
   ### Brief change log
   (for example:)
   - Define the core abstraction and interfaces of the EngineConn Factory;
   - Define the core abstraction and interfaces of Executor Manager.
   
   ### Verifying this change
   (Please pick either of the following options)  
   This change is a trivial rework / code cleanup without any test coverage.  
   (or)  
   This change is already covered by existing tests, such as (please describe tests).  
   (or)  
   This change added tests and can be verified as follows:  
   (example:)  
   - Added tests for submit and execute all kinds of jobs to go through and verify the lifecycles of different EngineConns.
   
   ### Does this pull request potentially affect one of the following parts:
   - Dependencies (does it add or upgrade a dependency): (yes / no)
   - Anything that affects deployment: (yes / no / don't know)
   - The MGS(Microservice Governance Services), i.e., Spring Cloud Gateway, OpenFeign, Eureka.: (yes / no)
   
   ### Documentation
   - Does this pull request introduce a new feature? (yes / no)
   - If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org

[GitHub] [incubator-linkis] casionone commented on pull request #2397: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-22965

Posted by GitBox <gi...@apache.org>.
casionone commented on PR #2397:
URL: https://github.com/apache/incubator-linkis/pull/2397#issuecomment-1172452904

   Upgrading the springboot version is a big change and should require comprehensive testing


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org

[GitHub] [incubator-linkis] duhanmin closed pull request #2397: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-22965

Posted by GitBox <gi...@apache.org>.
duhanmin closed pull request #2397: [ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-22965
URL: https://github.com/apache/incubator-linkis/pull/2397


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org

[GitHub] [incubator-linkis] duhanmin commented on pull request #2397: create temp directory and RCE

Posted by GitBox <gi...@apache.org>.
duhanmin commented on PR #2397:
URL: https://github.com/apache/incubator-linkis/pull/2397#issuecomment-1172355781

   https://github.com/apache/incubator-linkis/issues/2395


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org

[GitHub] [incubator-linkis] jackxu2011 commented on pull request #2397: SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-22965

Posted by GitBox <gi...@apache.org>.
jackxu2011 commented on PR #2397:
URL: https://github.com/apache/incubator-linkis/pull/2397#issuecomment-1172397968

   this issue should only upgrade spring framework not spring boot


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org