Question : What are the upgrade plans for vulnerability CVE-2024-26308 on commons-compress ?

kubernetes-client / java

Official Java client library for kubernetes

http://kubernetes.io/

Apache License 2.0

3.59k stars 1.91k forks source link

Question : What are the upgrade plans for vulnerability CVE-2024-26308 on commons-compress ? #3156

Closed Nazima-Begum closed 7 months ago

Nazima-Begum commented 8 months ago

There is a vulnerability CVE-2024-26308, this issue affects Apache Commons Compress: from 1.21 before 1.26 CVE URL: https://ciam.cisco.com/corona/cves/CVE-2024-26308/ The latest version of kubernetes-client-java (20.0.0) has the commons-compress version 1.25.0.

Are there any plans to upgrade kubernetes-client-java , which uses apache- commons-compress version 1.26 ?

brendandburns commented 8 months ago

It's already updated at HEAD:

https://github.com/kubernetes-client/java/blob/master/pom.xml#L65

It will get updated when a new version is released (21.0.0)

If you want it for older versions, please send a cherry-pick PR and we can release a patch version.

vijeyanidhi commented 8 months ago

@brendandburns if we want the cve upgrade fix to be released for 20.0.0, do we have to cherry pick the commit and merge into the release-20 branch?

brendandburns commented 8 months ago

@vijeyanidhi correct, cherry-pick the commit and send a PR for the release-20 branch, then we'll cut a 20.0.1 release.

Thanks! --brendan

vijeyanidhi commented 8 months ago

PR created : https://github.com/kubernetes-client/java/pull/3174

brfrn169 commented 8 months ago

We also need this fix for release-legacy-20.

I've created a PR for it: https://github.com/kubernetes-client/java/pull/3194

@brendandburns Could you please take a look?

ryanjbaxter commented 8 months ago

I also submitted a PR for release-19

brendandburns commented 7 months ago

Updated, 20.0.1 has been pushed to maven central with the update dependency. I will work on release-19 now.

ryanjbaxter commented 7 months ago

Thanks @brendandburns, looking forward to the release!

brendandburns commented 7 months ago

19.0.1 has been pushed out to sonatype, should be in maven central in ~1 day.

brfrn169 commented 7 months ago

@brendandburns Could you please also release 20.0.1-legacy (the branch release-legacy-20)?

brendandburns commented 7 months ago

PR #3203 needs to merge first, and then we can cut the release.

brendandburns commented 7 months ago

@brfrn169

20.0.1-legacy has been pushed to sonatype, should be in maven central in 24h. Closing this issue. Use the /reopen command if you need anything more.

brfrn169 commented 7 months ago

Thank you @brendandburns.