Dear all, I'm reaching out to discuss an ongoing issue in Pulsar related to CVE-2023-32732, which necessitates upgrading gRPC in Pulsar. Although this CVE isn't critical, it's flagged by CVE scanners, and addressing it requires careful coordination of upgrades for gRPC and Protobuf libraries in both Pulsar and Bookkeeper.
Currently, we face a challenge due to a strong dependency on gRPC and Protobuf library versions: upgrades must first occur in Bookkeeper and then in Pulsar to maintain compatibility. On the Pulsar side, the primary issues stem from Protobuf version upgrades in addition to the gRPC incompatibility with the Bookkeeper StateStore client. In June I made an attempt to upgrade grpc and protobuf in both Pulsar and Bookkeeper: https://github.com/apache/pulsar/pull/20602 (this was never merged due to failing tests) https://github.com/apache/bookkeeper/pull/3992 (this was merged, but it had to be roll backed) https://github.com/apache/bookkeeper/pull/4000 (closed as invalid solution) In Bookkeeper, we had cherry-picked the upgrade to branch-4.16 and that had to be downgraded with https://github.com/apache/bookkeeper/pull/4001, because of compatibility issues. A discovery during these changes was the compatibility policy of protobuf (https://protobuf.dev/support/cross-version-runtime-guarantee/), which states that cross-version runtime support isn't guaranteed. I have also understood that grpc has a similar policy. This policy poses a challenge, as it necessitates the use of identical grpc and protobuf versions across both Pulsar and Bookkeeper. To address this, one potential solution could be shading grpc & protobuf in the bookkeeper client that exposes these dependencies. This might resolve the compatibility issue in the bookkeeper client libraries. I welcome your thoughts and suggestions on this matter. Best regards, Lari
