[GitHub] [pulsar] HelenParr opened a new issue, #15124: Potential secutiry vulnerability in the shared library which kafka-connect-avro-converter-shaded depends on.

[GitBox <gi...@apache.org>]

HelenParr opened a new issue, #15124:
URL: https://github.com/apache/pulsar/issues/15124

   Hi, @mostafij-rahman, @Tango2018cc , I'd like to report a vulnerability issue in **org.apache.pulsar:kafka-connect-avro-converter-shaded:2.9.1**.
   ### Issue Description
   I noticed that **org.apache.pulsar:kafka-connect-avro-converter-shaded:2.9.1** directly depends on **com.github.luben:zstd-jni:v1.4.0-1** in [pom](https://repo1.maven.org/maven2/org/apache/pulsar/kafka-connect-avro-converter-shaded/2.9.1/kafka-connect-avro-converter-shaded-2.9.1.pom). However, as shown in the following dependency graph, **com.github.luben:zstd-jni:v1.4.0-1** sufferes from the vulnerability which the C library **zstd(version:1.4.0)** exposed: [CVE-2021-24031](https://nvd.nist.gov/vuln/detail/CVE-2021-24031).
   ### Dependency Graph between Java and Shared Libraries
   ![image (11)](https://user-images.githubusercontent.com/103260963/162780146-feddd045-595c-40f2-9bed-4f6a78a2a041.png)
   ### Suggested Vulnerability Patch Versions
   **com.github.luben:zstd-jni:v1.4.9-1** (**>=v1.4.9-1**) has upgraded this vulnerable C library `zstd` to the patch version **1.4.9**.
   
   Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?
   
   Thanks for your help~
   Best regards,
   Helen Parr


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] github-actions[bot] commented on issue #15124: Potential secutiry vulnerability in the shared library which kafka-connect-avro-converter-shaded depends on.

[GitBox <gi...@apache.org>]

github-actions[bot] commented on issue #15124:
URL: https://github.com/apache/pulsar/issues/15124#issuecomment-1153048062

   The issue had no activity for 30 days, mark with Stale label.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] github-actions[bot] commented on issue #15124: Potential secutiry vulnerability in the shared library which kafka-connect-avro-converter-shaded depends on.

[GitBox <gi...@apache.org>]

github-actions[bot] commented on issue #15124:
URL: https://github.com/apache/pulsar/issues/15124#issuecomment-1124458640

   The issue had no activity for 30 days, mark with Stale label.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on issue #15124: Potential secutiry vulnerability in the shared library which kafka-connect-avro-converter-shaded depends on.

[GitBox <gi...@apache.org>]

eolivelli commented on issue #15124:
URL: https://github.com/apache/pulsar/issues/15124#issuecomment-1124546081

   @HelenParr thanks for your detailed report.
   
   For the future: if you know a security related problem please do to report on GH, that automatically means disclosing it to the public.
   The process is to send a message to private@pulsar.apache.org or security@apache.org
   
   
   We can update the library (@nicoloboschi FYI)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org