[Security] Pulsar client uses snakeyaml version and dependent on it libraries that have CVE-2022-1471

apache / pulsar

Apache Pulsar - distributed pub-sub messaging system

https://pulsar.apache.org/

Apache License 2.0

14.18k stars 3.57k forks source link

[Security] Pulsar client uses snakeyaml version and dependent on it libraries that have CVE-2022-1471 #20224

Open eugene-cheverda opened 1 year ago

eugene-cheverda commented 1 year ago

Search before asking

[X] I searched in the issues and found nothing similar.

Motivation

Snakeyaml v1.32 used in jackson.dataformat.yaml, prometheus and direct pulsar dependencies has a security vulnerability described in https://avd.aquasec.com/nvd/cve-2022-1471

Solution

Update prometheus to 0.18.0, jackson libs to 2.15.0 and snakeyaml to 2.0

Alternatives

No response

Anything else?

No response

Are you willing to submit a PR?

[X] I'm willing to submit a PR!

ragunathrajasekaran commented 1 year ago

We can see that the branch-2.10 uses the 2.0 version of snakeyaml. Additionally, we can see that this modification is marked for release 2.10.5. What is the tentative release date for 2.10.5 (along with modifications to snakeyaml)?

github-actions[bot] commented 1 year ago

The issue had no activity for 30 days, mark with Stale label.

tisonkun commented 1 year ago

https://lists.apache.org/thread/vqyth08gll71jv24oyrntl23lqxxdozb 2.10.5 is under voting. You're welcome to test it out and share your test result.

Closed as the issue fixed on the branch.

tisonkun commented 1 year ago

No. Jackson is not upgraded to 2.15.0 now.

github-actions[bot] commented 1 year ago

The issue had no activity for 30 days, mark with Stale label.