[Security] 3.3.0 has several fixable security vulnerabilities.

[adrian-tarau]

Search before asking

• I searched in the issues and found nothing similar.

Read release policy

• I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

Version

3.3.0

Minimal reproduce step

A security scanner will reveal several issues.

What did you expect to see?

Ideally, no security issues are reported against Pulsal (Uber Jar), or at least nothing Critical or High.

What did you see instead?

Several Major issues were reported.

Anything else?

No response

Are you willing to submit a PR?

• I'm willing to submit a PR!

[lhotari]

I'm about to start the release process for Apache Pulsar 3.3.1, so all already fixed issues will be addressed with this release.

A lot of security vulnerability scanner alerts are false positives or don't apply to Apache Pulsar. It would be useful to mention what scanner you are using and what your requirements are ("Several Major issues were reported." isn't addressable).

Apache Pulsar is maintained by volunteers. Active contributions to Apache Pulsar are more than welcome for this type of issues. Releases are typically made every 1-2 months for actively supported versions.

If you need quicker response to security vulnerabilities, I'd recommend subscribing to a commercial distribution of Apache Pulsar (I work for StreamNative which offers such services).

[dave2wave]

Contributions are welcome. Please submit separate PRs for each dependency. Sometimes a dependency update requires extra work depending on changes that may have occurred which may be unrelated to their security fix. (I work for DataStax which also offers such services.)

[lhotari]

The release vote is out for 3.3.1 release: https://lists.apache.org/thread/6o1d37jx8ztcs54d8x120gl4491n4502 . Please help validate the release candidate! @adrian-tarau Does it fix the security vulnerabilities that you have detected?

[adrian-tarau]

Indeed, I was looking for #22819 and #22826. I will validate, thanks.

[adrian-tarau]

It looks like JARs are not deployed in Maven Central (with rc1 or something similar), so I will have to wait for the official release. However, the POM changes look good; thanks.

[lhotari]

It looks like JARs are not deployed in Maven Central (with rc1 or something similar), so I will have to wait for the official release. However, the POM changes look good; thanks.

The release vote email contains the URL of the staging repository, it's https://repository.apache.org/content/repositories/orgapachepulsar-1304/ for 3.3.1 release candidate 1. The version is already 3.3.1 in the jars since the staging repository will be published as 3.3.1 version if the release vote passes.

[adrian-tarau]

I have seen that :) However, I cannot push another repo during builds. Anyway, 3.3.1 (which I presume will be released soon) will have all the security issues fixed (at least the ones reported by Trivy security scanner).

[lhotari]

3.3.1 has been released. Closing this issue.