Thanks Iain. We're pressing ahead with work on a PR already [1]. Feel free to review it.
It is incomplete. There is uncommitted work being done on limiting the possibilities of getting duplicate IDs. There is also a related PR about how to handle duplicate IDs if they do appear [2]. If you do think that what we are doing is insufficient and feel that the information is security sensitive, feel free to email me privately. We will certainly consider your solution if you pass it to us. [1] https://github.com/apache/incubator-pekko/pull/371 [2] https://github.com/apache/incubator-pekko/pull/379 On 2023/06/09 15:18:48 Iain Hull wrote: > Hi PJ, > > I have an internal fix for the Akka DNS issue. I have been very careful not > to look at any akka changes post 2.6. I need to get approval to make the > changes public. Once I have done that I am happy to post both fixes in PRs > for further discussion. Hopefully by nex week. > > Iain. > ________________________________ > From: kerr <hepin1...@gmail.com> > Sent: 09 June 2023 04:21 > To: dev@pekko.apache.org <dev@pekko.apache.org> > Subject: [External Sender] Re: recent Akka security fixes (CVEs) > > There are some open data from > https://urldefense.com/v3/__https://discuss.lightbend.com__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHBXXsS1EY$ > 何品 > > > PJ Fanning <fannin...@apache.org> 于2023年6月9日周五 05:08写道: > > > Hi everyone, > > > > We are aware of the Akka fixes [1] and are working on Pekko equivalents. > > > > We cannot use the Akka fixes as they are not open sourced. If anyone > > wants to contribute to the related PRs, please be aware that we cannot > > accept any code or comments based on the Akka changes. Any PRs > > submitted to Apache projects need to be based on your own work. > > > > The issue with the Async DNS resolver is the most complicated to fix > > [2] and will delay the Pekko Core RC1 by a week or two. > > > > If anyone finds other security related issues in Akka or Pekko should > > ideally report them to the Apache Security team and not disclose the > > issue publicly (see policy [3]). We will notify the Akka team, just in > > case the issue was only reported to us. > > > > Thanks, > > PJ > > > > > > [1] > > https://urldefense.com/v3/__https://akka.io/security/__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHBmTyEihs$ > > [2] > > https://urldefense.com/v3/__https://github.com/apache/incubator-pekko/pull/371__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHB1I1ofvU$ > > [3] > > https://urldefense.com/v3/__https://www.apache.org/security/__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHB7DqMjq4$ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@pekko.apache.org > > For additional commands, e-mail: dev-h...@pekko.apache.org > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pekko.apache.org For additional commands, e-mail: dev-h...@pekko.apache.org
