Skip to content

[fix][sec] bump snakeyaml to 1.31 fix CVE-2022-25857 #17457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jason918 merged 3 commits into from
Sep 5, 2022
Merged

[fix][sec] bump snakeyaml to 1.31 fix CVE-2022-25857 #17457

Jason918 merged 3 commits into from
Sep 5, 2022

Conversation

@tisonkun
Copy link
Member

@tisonkun tisonkun commented Sep 5, 2022
edited
Loading

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

  • Dependencies (does it add or upgrade a dependency): (yes)

Fix CVEs.

  • doc-not-needed

@tisonkun
[fix][sec] bump snakeyaml to 1.31 fix CVE-2022-25857
143e56f 
Signed-off-by: tison <wander4096@gmail.com>
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Sep 5, 2022
@tisonkun tisonkun mentioned this pull request Sep 5, 2022
Merged
1 task
@tisonkun
Copy link
Member Author

tisonkun commented Sep 5, 2022

This patch can still fail on OWASP due to CVE-2021-3565 fp. See the report for details or see #17458 as a batch patch.

@tisonkun
more snakeyaml.version
827be37 
Signed-off-by: tison <wander4096@gmail.com>
zymap
zymap requested changes Sep 5, 2022
View reviewed changes
Copy link
Member

@zymap zymap left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Please help to update the license file for pulsar and lib/presto as well.

@zymap zymap added this to the 2.11.0 milestone Sep 5, 2022
@zymap zymap requested a review from Technoboy- September 5, 2022 01:15
@tisonkun
more snakeyaml.version in LICENSE
15298f1 
Signed-off-by: tison <wander4096@gmail.com>
@tisonkun
Copy link
Member Author

tisonkun commented Sep 5, 2022

@zymap nice catch! Updated.

@zymap
Copy link
Member

zymap commented Sep 5, 2022

Thank you!

@tisonkun
Copy link
Member Author

tisonkun commented Sep 5, 2022

/pulsarbot run-failure-checks

@tisonkun
Copy link
Member Author

tisonkun commented Sep 5, 2022

@zymap @Technoboy- @Jason918 This patch is ready to merge. Then I'll rebase #17458 onto this one :)

@Jason918 Jason918 merged commit 3ea478a into apache:master Sep 5, 2022
@tisonkun tisonkun deleted the fix-CVE-2022-25857 branch September 5, 2022 04:24
tisonkun added a commit to tisonkun/pulsar that referenced this pull request Sep 5, 2022
@tisonkun
[fix][sec] bump snakeyaml to 1.31 fix CVE-2022-25857 (apache#17457)
4471abe
@tisonkun tisonkun mentioned this pull request Sep 5, 2022
Merged
1 task
Technoboy- pushed a commit that referenced this pull request Sep 5, 2022
@tisonkun
[fix][sec] bump snakeyaml to 1.31 fix CVE-2022-25857 (#17457) (#17466)
a90f2ec
nicoloboschi pushed a commit to datastax/pulsar that referenced this pull request Sep 6, 2022
@tisonkun @nicoloboschi
[fix][sec] bump snakeyaml to 1.31 fix CVE-2022-25857 (apache#17457)
f08b7dc 
(cherry picked from commit 3ea478a)
nicoloboschi pushed a commit that referenced this pull request Sep 6, 2022
@tisonkun @nicoloboschi
[fix][sec] bump snakeyaml to 1.31 fix CVE-2022-25857 (#17457)
09155d0 
(cherry picked from commit 3ea478a)
codelipenghui pushed a commit that referenced this pull request Sep 8, 2022
@tisonkun @codelipenghui
[fix][sec] bump snakeyaml to 1.31 fix CVE-2022-25857 (#17457)
f3114b9 
(cherry picked from commit 3ea478a)
@codelipenghui codelipenghui added the cherry-picked/branch-2.8 Archived: 2.8 is end of life label Sep 8, 2022
@pjfanning
Copy link
Member

pjfanning commented Sep 18, 2022

snakeyaml v1.32 fixes a 2nd similar issue - GHSA-9w3m-gqgf-c4p9

@Jason918 Jason918 mentioned this pull request Sep 23, 2022
Merged
13 tasks
@congbobo184
Copy link
Contributor

congbobo184 commented Nov 15, 2022

could you please cherry-pick this PR to branch-2.9? thanks.

@tisonkun
Copy link
Member Author

tisonkun commented Nov 15, 2022

@congbobo184 I think I can pick only #17779 that bump to 1.32. I'm doing this now :)

@congbobo184 congbobo184 added the cherry-picked/branch-2.9 Archived: 2.9 is end of life label Nov 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jason918 Jason918 Jason918 approved these changes

@Technoboy- Technoboy- Technoboy- approved these changes

@hezhangjian hezhangjian hezhangjian approved these changes

@zymap zymap zymap approved these changes

Assignees

@tisonkun tisonkun

Labels

area/security cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 cherry-picked/branch-2.11 doc-not-needed Your PR changes do not impact docs release/2.8.5 release/2.9.4 release/2.10.2 release/2.11.1

Projects

None yet

Milestone

2.11.0

Development

Successfully merging this pull request may close these issues.

9 participants

@tisonkun @zymap @pjfanning @congbobo184 @Jason918 @Technoboy- @hezhangjian @codelipenghui @nicoloboschi