You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2022/04/20 11:04:30 UTC

[GitHub] [servicecomb-pack] HelenParr opened a new issue, #753: Potential security vulnerabilities in the C libraries.Can you help upgrade to patch versions?

HelenParr opened a new issue, #753:
URL: https://github.com/apache/servicecomb-pack/issues/753

   Hi, @coolbeevip , @WillemJiang , I'd like to report a vulnerability issue in **org.apache.servicecomb.pack:alpha-server:0.6.0**.
   ### Issue Description
   **org.apache.servicecomb.pack:alpha-server:0.6.0** directly or transitively depends on ***55*** C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
   
   `libzstd-jni.so` from C project **zstd(version:1.3.7)** exposed ***2*** vulnerabilities:
   [CVE-2021-24031](https://nvd.nist.gov/vuln/detail/CVE-2021-24031), [CVE-2019-11922](https://nvd.nist.gov/vuln/detail/CVE-2019-11922)
   `liblz4-java.so` from C project **lz4(version:1.8.3)** exposed ***2*** vulnerabilities:
   [CVE-2021-3520](https://nvd.nist.gov/vuln/detail/CVE-2021-3520), [CVE-2019-17543](https://nvd.nist.gov/vuln/detail/CVE-2019-17543)
   
   ### Suggested Vulnerability Patch Versions
   ***zstd*** has fixed the vulnerabilities in versions ***>=1.4.9***
   ***lz4*** has fixed the vulnerabilities in versions ***>=1.9.2***
   
   Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
   Could you please upgrade the above shared libraries to their patch versions?
   
   Thanks for your help~
   Best regards,
   Helen Parr


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-pack] WillemJiang commented on issue #753: Potential security vulnerabilities in the C libraries.Can you help upgrade to patch versions?

Posted by GitBox <gi...@apache.org>.

WillemJiang commented on issue #753:
URL: https://github.com/apache/servicecomb-pack/issues/753#issuecomment-1103928403

   Thanks for report it, 
   we need to figure out which third party dependencies introduced the C libraries which need to upgrade.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-pack] WillemJiang closed issue #753: Potential security vulnerabilities in the C libraries.Can you help upgrade to patch versions?

Posted by GitBox <gi...@apache.org>.

WillemJiang closed issue #753: Potential security vulnerabilities in the C libraries.Can you help upgrade to patch versions?
URL: https://github.com/apache/servicecomb-pack/issues/753


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-pack] WillemJiang commented on issue #753: Potential security vulnerabilities in the C libraries.Can you help upgrade to patch versions?

Posted by GitBox <gi...@apache.org>.

WillemJiang commented on issue #753:
URL: https://github.com/apache/servicecomb-pack/issues/753#issuecomment-1107670527

   https://issues.apache.org/jira/browse/SCB-2459
   Merged the patch into master branch.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-pack] WillemJiang commented on issue #753: Potential security vulnerabilities in the C libraries.Can you help upgrade to patch versions?

Posted by GitBox <gi...@apache.org>.

WillemJiang commented on issue #753:
URL: https://github.com/apache/servicecomb-pack/issues/753#issuecomment-1104680751

   I just checked the dependency of alpha server ,  the C libraries issue is introduced by the kafka client. 
   org.apache.kafka:kafka-clients:jar:2.5.1:compile
   [INFO]    +- com.github.luben:zstd-jni:jar:1.4.4-7:compile
   [INFO]    +- org.lz4:lz4-java:jar:1.7.1:compile
   
   We need to consider to upgrade the kafka clients version.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org