Re: [DISCUSS] Backport CVE-2021-45232 fix code

Wed, 29 Dec 2021 18:04:46 -0800 

Hi, after confirming with JunXu Chen that the vulnerability was introduced
in version 2.7.0.

We need to cherry-pick the fixed commit[1] to the appropriate release
branch to re-release the fixed version.

Affected versions are v2.9.0, v2.8, v2.7.1, these versions need to be
released with corresponding fixes: v2.9.1, v2.8.1, v2.7.2.

I will submit the corresponding fix PRs.

[1]
https://github.com/apache/apisix-dashboard/commit/b565f7cd090e9ee2043fbb726fbaae01737f83cd

Zhiyuan Ju <juzhiy...@apache.org> 于2021年12月30日周四 09:13写道:

> Hi Yuan Bao,
>
> According to this mailing list's feedbacks, we need to backport that fix to
> the previous version, could you help to do that? And PMC could help you to
> release them.
>
> Best Regards!
> @ Zhiyuan Ju <https://github.com/juzhiyuan>
>
>
> okaybase <okayb...@apache.org> 于2021年12月29日周三 22:49写道:
>
> > Support backport the fix +1
> > This will help users to quickly improve the security of the Dashboard.
> >
> > JunXu Chen <chenju...@apache.org> 于2021年12月29日周三 20:48写道:
> >
> > > Support backport the fix +1
> > >
> > >
> > > On Wed, 29 Dec 2021 at 17:30, Tsangleslie <leslie.ts...@icloud.com
> > > .invalid>
> > > wrote:
> > >
> > > > Agreed to backport the fix. For users using APISIX in prod
> environment,
> > > > It will be a long day to upgrade both APISIX and APISIX dashboard.
> > > >
> > > >
> > > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju <juzhiy...@apache.org>
> wrote:
> > > > >
> > > > > I also support back port this fix to previous Dashboard, or
> provide a
> > > > quick
> > > > > way for users to disable those 2 Unauthorized APIs
> > > > >
> > > > > Baoyuan <baoyuan....@gmail.com>于2021年12月29日 周三下午4:35写道:
> > > > >
> > > > >> Hi Community, when APISIX Dashboard users try to fix
> CVE-2021-45232,
> > > > they
> > > > >> need to upgrade Dashboard to version 2.10.1.
> > > > >>
> > > > >> Due to the Dashboard version needing to correspond to APISIX,
> users
> > > will
> > > > >> also need to consider upgrading APISIX, which may cause
> > inconvenience
> > > to
> > > > >> users.
> > > > >>
> > > > >> Are we considering backporting the fixed code for this
> vulnerability
> > > to
> > > > the
> > > > >> previous affected version? What do you think?
> > > > >>
> > > > > --
> > > > > 来自 琚致远
> > > >
> > > >
> > >
> >
>

Reply via email to