lhotari opened a new pull request, #23725:
URL: https://github.com/apache/pulsar/pull/23725
### Motivation
See CVE-2024-53990. There aren't backend services in Pulsar that would use
cookies, however since it's a high severity vulnerability, there's a need to
mitigate it. Eventually we will need to upgrade to AsyncHttpClient 3.0.1 to get
rid of the vulnerable dependency AsyncHttpClient 2.12.x.
### Modifications
- As a mitigation, disable CookieStore by setting it to null
- This PR doesn't upgrade to AsyncHttpClient 3.0.1
- Upgrading to AsyncHttpClient 3.0.1 will be more work. It will be handled
separately.
### Documentation
<!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
- [ ] `doc` <!-- Your PR contains doc changes. -->
- [ ] `doc-required` <!-- Your PR changes impact docs and you will update
later -->
- [x] `doc-not-needed` <!-- Your PR changes do not impact docs -->
- [ ] `doc-complete` <!-- Docs have been already added -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
