Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Upgrade vertx to 3.9.7, addresses CVE-2018-12541 #10261

Merged
merged 1 commit into from Apr 19, 2021
Merged

[Security] Upgrade vertx to 3.9.7, addresses CVE-2018-12541 #10261

merged 1 commit into from Apr 19, 2021

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Apr 19, 2021
edited

Motivation

The current vertx version is 3.5.3 which has a vulnerability, CVE-2018-12541 .

Changes

  • Upgrade vertx version to 3.9.7 which is the most recent in 3.x releases.

Notice:
vertx is a transitive dependency of bookkeeper. There's a separate PR in apache/bookkeeper to upgrade vertx library: apache/bookkeeper#2693 . It should be fine to upgrade vertx to 3.9.7 when using the released bookkeeper version 4.13.0 . There isn't a requirement for having a released version of bookkeeper with the upgraded vertx version.

@lhotari
Copy link
Member Author

lhotari commented Apr 19, 2021

/pulsarbot run-failure-checks

2 similar comments
@lhotari
Copy link
Member Author

lhotari commented Apr 19, 2021

/pulsarbot run-failure-checks

@lhotari
Copy link
Member Author

lhotari commented Apr 19, 2021

/pulsarbot run-failure-checks

eolivelli
eolivelli approved these changes Apr 19, 2021
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

eolivelli
eolivelli requested changes Apr 19, 2021
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please explain why we can upgrade without upgrading BK ?

it looks like there is an API compatibility issue here

https://github.com/apache/bookkeeper/pull/2693/files#diff-edeb9ac83b92c91d8ea5563e07e27c3d4b34f241f0d248d49f68b3dfa490dd23L85

@lhotari
Copy link
Member Author

lhotari commented Apr 19, 2021
edited

can you please explain why we can upgrade without upgrading BK ?

it looks like there is an API compatibility issue here

https://github.com/apache/bookkeeper/pull/2693/files#diff-edeb9ac83b92c91d8ea5563e07e27c3d4b34f241f0d248d49f68b3dfa490dd23L85

the API is compatible. That change is just to remove the usage of a deprecated API.

eolivelli
eolivelli approved these changes Apr 19, 2021
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perfect

+1

@eolivelli eolivelli merged commit 0ce0bcc into apache:master Apr 19, 2021
This was referenced Apr 20, 2021
Merged
Closed
@sijie sijie mentioned this pull request Apr 21, 2021
Closed
eolivelli pushed a commit to datastax/pulsar that referenced this pull request May 12, 2021
@lhotari @eolivelli
[Security] Upgrade vertx to 3.9.7, addresses CVE-2018-12541 (apache#1…
ea5b676 
…0261)
@codelipenghui codelipenghui added this to the 2.8.0 milestone Jun 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aahmed-se aahmed-se aahmed-se approved these changes

@eolivelli eolivelli eolivelli approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.8.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lhotari @aahmed-se @eolivelli @codelipenghui