I would like to make a minor correction to my previous email: The pull request https://github.com/apache/bookkeeper/pull/3992 has been merged into the master branch and not rolled back. Consequently, CVE-2023-32732 has been resolved in the master branch with gRPC 1.56.0. However, this change was only rolled back in the branch-4.16 due to the compatibility issues described in the previous email.
Looking ahead, once version 4.17 is released from the master branch, we should be able to use it in Pulsar. This will enable us to upgrade gRPC and protobuf to match the versions used in Bookkeeper, as we have done previously. However, it would be great if we could find a solution to break this dependency cycle. -Lari On 2023/12/14 18:42:04 Lari Hotari wrote: > Dear all, > > I'm reaching out to discuss an ongoing issue in Pulsar related to > CVE-2023-32732, which necessitates upgrading gRPC in Pulsar. Although this > CVE isn't critical, it's flagged by CVE scanners, and addressing it requires > careful coordination of upgrades for gRPC and Protobuf libraries in both > Pulsar and Bookkeeper. > > Currently, we face a challenge due to a strong dependency on gRPC and > Protobuf library versions: upgrades must first occur in Bookkeeper and then > in Pulsar to maintain compatibility. > On the Pulsar side, the primary issues stem from Protobuf version upgrades in > addition to the gRPC incompatibility with the Bookkeeper StateStore client. > > In June I made an attempt to upgrade grpc and protobuf in both Pulsar and > Bookkeeper: > https://github.com/apache/pulsar/pull/20602 (this was never merged due to > failing tests) > https://github.com/apache/bookkeeper/pull/3992 (this was merged, but it had > to be roll backed) > https://github.com/apache/bookkeeper/pull/4000 (closed as invalid solution) > > In Bookkeeper, we had cherry-picked the upgrade to branch-4.16 and that had > to be downgraded > with https://github.com/apache/bookkeeper/pull/4001, because of compatibility > issues. > > A discovery during these changes was the compatibility policy of protobuf > (https://protobuf.dev/support/cross-version-runtime-guarantee/), which states > that cross-version runtime support isn't guaranteed. I have also understood > that grpc has a similar policy. This policy poses a challenge, as it > necessitates the use of identical grpc and protobuf versions across both > Pulsar and Bookkeeper. > > To address this, one potential solution could be shading grpc & protobuf in > the bookkeeper client that exposes these dependencies. This might resolve the > compatibility issue in the bookkeeper client libraries. > > I welcome your thoughts and suggestions on this matter. > > Best regards, > > Lari >
