Owasp build reported the following: [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) [ERROR] jetty-io-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-2023- 26049(5.3) [ERROR] jetty-server-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE- 2023-26049(5.3)
Thanks Ben for letting us now. Would you please kindly update the Jira with the listed CVEs and the affected version (3.8.1)? We'll check if these CVEs should be fixed on ZooKeeper side and if needed, you should expect a new release from the 3.8.x branch, since it's an active release branch. Andor On Fri, 2023-05-26 at 08:33 +0200, Andor Molnar wrote: > Hi Ben, > > Let me check this. > I triggered an owasp check build on Apache CI: > https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.1/7/ > > Btw, Enrico, we're still having both 3.8.0 and 3.8.1 releases on the > web page as separate release lines. Would you mind if I submit a > change > to the webpage to remove 3.8.0? > > Not sure who I talked about it, it was long time ago. > > Regards, > Andor > > > > > On Thu, 2023-05-18 at 17:54 +0000, Ben Johnston wrote: > > > version of zookeeper we are using is 3.8.0 > > > > The latest zookeeper release is 3.8.1 ( > > https://github.com/apache/zookeeper/releases/tag/release-3.8.1) > > that > > included a number of bugfixes, probably some that are in your list > > > > The 3.8.1 does have a medium and low CVE that are on the jetty > > server. CVE-2023-26048 and CVE-2023-26049. When might the team do a > > release to do security fixes? > > > > Thanks, > > > > Ben Johnston, GCIH, GCFA, GPEN > > Application Security Engineer > > COFENSE > > o. 785-250-4412 > > e. ben.johns...@cofense.com > > > > Connect with Cofense: > > > > > > > > > > > > From: Dilip anand (Jira) <j...@apache.org> > > Date: Tuesday, May 16, 2023 at 11:34 AM > > To: dev@zookeeper.apache.org <dev@zookeeper.apache.org> > > Subject: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper > > latest version > > > > External Email > > > > Dilip anand created ZOOKEEPER-4696: > > -------------------------------------- > > > > Summary: Update for Zookeeper latest version > > Key: ZOOKEEPER-4696 > > URL: > > https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > > Project: ZooKeeper > > Issue Type: Bug > > Reporter: Dilip anand > > > > > > Hi team, > > > > We ran a scan for security vulnerability fixes,we have seen > > CVE's that are affected for zookeeper and version of zookeeper we > > are > > using is 3.8.0 .Here are the CVE's which are affected with > > zookeeper > > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE- > > 2022- > > 22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE- > > 2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023- > > 23916 which do not have any reports in red hat website. we want to > > know what version of zookeeper will clear these CVEs and when it'll > > be released? > > > > Regards, > > Dilip > > > > > > > > -- > > This message was sent by Atlassian Jira > > (v8.20.10#820010)
