Dear Pulsar Community, There's a critical 9.3/10 level RCE vulnerability in Avro Java SDK <1.11.4, CVE-2024-47561. More details can be found in these resources: - https://github.com/advisories/GHSA-r7pg-v2c8-mfg3 - https://nvd.nist.gov/vuln/detail/CVE-2024-47561 - https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x
In Pulsar, there's a PR under review to upgrade Avro to 1.11.4: https://github.com/apache/pulsar/pull/23394 I suggest that we start preparations for expedited Pulsar 3.0.7 and 3.3.2 releases due to this critical vulnerability. I can volunteer to handle these releases as a release manager. Further coordination of these releases and discussions about possible mitigations will be on the dev@pulsar.apache.org mailing list. I have also sent this message to the us...@pulsar.apache.org list. Mailing list archives and joining instructions for the dev mailing list can be found at https://pulsar.apache.org/contact/. -Lari
