New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Upgrade vertx to 3.9.7, addresses CVE-2018-12541 #10261
Conversation
/pulsarbot run-failure-checks |
2 similar comments
/pulsarbot run-failure-checks |
/pulsarbot run-failure-checks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you please explain why we can upgrade without upgrading BK ?
it looks like there is an API compatibility issue here
the API is compatible. That change is just to remove the usage of a deprecated API. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perfect
+1
Motivation
The current vertx version is 3.5.3 which has a vulnerability, CVE-2018-12541 .
Changes
Notice:
vertx is a transitive dependency of bookkeeper. There's a separate PR in apache/bookkeeper to upgrade vertx library: apache/bookkeeper#2693 . It should be fine to upgrade vertx to 3.9.7 when using the released bookkeeper version 4.13.0 . There isn't a requirement for having a released version of bookkeeper with the upgraded vertx version.