[jira] [Commented] (ZOOKEEPER-4696) Update for Zookeeper latest version
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17745169#comment-17745169 ] Anton Stadnikov commented on ZOOKEEPER-4696: Are there any plans to merge these changes to currently latest stable 3.7.x branch? > Update for Zookeeper latest version > > > Key: ZOOKEEPER-4696 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > Project: ZooKeeper > Issue Type: Bug > Components: security, server >Affects Versions: 3.8.0 >Reporter: Dilip anand >Assignee: Szucs Villo >Priority: Critical > Labels: CVE > > Hi team, > We ran a scan for security vulnerability fixes,we have seen CVE's that > are affected for zookeeper and version of zookeeper we are using is 3.8.0 > .Here are the CVE's which are affected with zookeeper > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916 > which do not have any reports in red hat website. we want to know what > version of zookeeper will clear these CVEs and when it'll be released? > Regards, > Dilip -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4696) Update for Zookeeper latest version
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17728239#comment-17728239 ] Szucs Villo commented on ZOOKEEPER-4696: There are 3 CVEs in the branch-3.8.1: [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) [ERROR] jetty-io-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-2023-26049(5.3) [ERROR] jetty-server-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-2023-26049(5.3) I think CVE-2022-45688 is false positive. ([https://github.com/jeremylong/DependencyCheck/actions/runs/5126385253]) CVE-2023-26048(5.3) and CVE-2023-26049(5.3) are tracked here: https://issues.apache.org/jira/browse/ZOOKEEPER-4700. > Update for Zookeeper latest version > > > Key: ZOOKEEPER-4696 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > Project: ZooKeeper > Issue Type: Bug > Components: security, server >Affects Versions: 3.8.0 >Reporter: Dilip anand >Assignee: Szucs Villo >Priority: Critical > Labels: CVE > > Hi team, > We ran a scan for security vulnerability fixes,we have seen CVE's that > are affected for zookeeper and version of zookeeper we are using is 3.8.0 > .Here are the CVE's which are affected with zookeeper > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916 > which do not have any reports in red hat website. we want to know what > version of zookeeper will clear these CVEs and when it'll be released? > Regards, > Dilip -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ZOOKEEPER-4696) Update for Zookeeper latest version
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17727562#comment-17727562 ] Szucs Villo commented on ZOOKEEPER-4696: I started working on the patch. I think we need to upgrade the main version of Jetty because all of the 9.4-based versions have CVE problems. See here: [https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server]. We should upgrade Jetty to 11.0.15, which is the latest version. For this, we need quite a few code changes because of the deprecated methods and classes. [https://www.eclipse.org/jetty/javadoc/jetty-10/deprecated-list.html] > Update for Zookeeper latest version > > > Key: ZOOKEEPER-4696 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > Project: ZooKeeper > Issue Type: Bug > Components: security, server >Affects Versions: 3.8.0 >Reporter: Dilip anand >Assignee: Szucs Villo >Priority: Critical > Labels: CVE > > Hi team, > We ran a scan for security vulnerability fixes,we have seen CVE's that > are affected for zookeeper and version of zookeeper we are using is 3.8.0 > .Here are the CVE's which are affected with zookeeper > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916 > which do not have any reports in red hat website. we want to know what > version of zookeeper will clear these CVEs and when it'll be released? > Regards, > Dilip -- This message was sent by Atlassian Jira (v8.20.10#820010)