James, There is no specific timeline determined for 1.19.0 at this moment but we likely could just choose to spin a release there. I will initiate a 1.19 discussion now (that will be on dev if you want to follow along)
I don't see 1.18.1 as ultra realistic as we've made so many dependency updates and such that we really ought to move forward with new capabilities, fixes, and security related items (like this) that we have now. Thanks Joe On Thu, Nov 10, 2022 at 12:28 PM James <[email protected]> wrote: > Hi > > Do you know if a 1.18.1 version will be released for this, even if it is > just "cosmetic"? This statement is pretty accurate for something like this: > "upgrade to stop the endless high prio Excel sheets with vulnerability > scanner results showing our NiFi servers having the vulnerable library > present on disk" > > If it has been decided that you're waiting for a 1.19 release instead, is > there a timeline I can quote in response to the emails? > > Thanks for all the work done on Nifi! > > James > > On Mon, Oct 24, 2022 at 3:22 PM Isha Lamboo < > [email protected]> wrote: > >> I second Tom's sentiment. It would be very much appreciated that we can >> go ahead and upgrade to stop the endless high prio Excel sheets with >> vulnerability scanner results showing our NiFi servers having the >> vulnerable library present on disk. >> >> The Github pull requests mentions this: "The upgrade mitigates >> CVE-2022-42889, although Apache NiFi does not include any direct references >> to vulnerable instances of the StringLookup class." >> >> An official statement along those lines would also help, but after log4j >> it seems upgrading away the vulnerabilities is less work than managing scan >> results and waivers. >> >> Regards, >> >> Isha >> >> -----Oorspronkelijk bericht----- >> Van: Tom Coudyzer <[email protected]> >> Verzonden: vrijdag 21 oktober 2022 20:21 >> Aan: [email protected] >> Onderwerp: Re: CVE-2022-42889 and impact on Apache Nifi >> >> Hi, >> >> Apologies if I posted through the wrong channels. Will have a look to the >> guidelines. >> Thanks 🙏 for sharing the pointers on the work that has been done! >> >> 1.18.1 could be a good idea I think as you say it would let people more >> comfortable as there is much noise around this CVE and the immediate >> conclusion that a patch is needed while it may be a product is not >> vulnerable to it although having the library as a dependency. >> >> Thanks again! >> >> /Tom >> >> >> > On 21 Oct 2022, at 20:10, Joe Witt <[email protected]> wrote: >> > >> > Tom >> > >> > In the future if you're concerned or have questions about a >> > vulnerability/potential vulnerability please follow the guidance here. >> > >> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi >> > .apache.org%2Fsecurity.html&data=05%7C01%7Cisha.lamboo%40virtualsc >> > iences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9e4ad45f99a6fcd1 >> > 26a64274b%7C0%7C0%7C638019732721385842%7CUnknown%7CTWFpbGZsb3d8eyJWIjo >> > iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C% >> > 7C%7C&sdata=fvlXGKvjL57mhwNFCuHFadP%2BBIb1bzpxojo9sf0yLCk%3D&r >> > eserved=0 >> > >> > Here you can see what we've done for this already on main >> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissu >> > es.apache.org%2Fjira%2Fbrowse%2FNIFI-10648&data=05%7C01%7Cisha.lam >> > boo%40virtualsciences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9 >> > e4ad45f99a6fcd126a64274b%7C0%7C0%7C638019732721542087%7CUnknown%7CTWFp >> > bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn >> > 0%3D%7C3000%7C%7C%7C&sdata=3ZcHs%2Fk%2BTq9KQNHUSuqgQs1snjqYA9UeqFA >> > ajWWD35A%3D&reserved=0 with more info in >> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith >> > ub.com%2Fapache%2Fnifi%2Fpull%2F6531&data=05%7C01%7Cisha.lamboo%40 >> > virtualsciences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9e4ad45 >> > f99a6fcd126a64274b%7C0%7C0%7C638019732721542087%7CUnknown%7CTWFpbGZsb3 >> > d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7 >> > C3000%7C%7C%7C&sdata=1FqnqsteyJJbYvfdu%2FVGs9L%2BJHsuaYVwwl2HP4ie% >> > 2Bvg%3D&reserved=0 >> > >> > It doesn't seem like it thus far but might be worth kicking out a >> > 1.18.1 just to help people feel more comfortable. Will share more if >> > that shapes up. >> > >> > Thanks >> > Joe >> > >> >> On Fri, Oct 21, 2022 at 10:50 AM Tom Coudyzer <[email protected]> >> wrote: >> >> >> >> Hi, >> >> >> >> I looked on the Apache Nifi site and linked sites to find information >> on how CVE-2022-42889 impacts Apache Nifi. >> >> >> >> I found an issue report and merge request which indicates the library >> >> Apache Commons Text has been upgraded to the patched version (1.10) >> >> and it will be part of v1.19.0 >> >> >> >> I could however not find when this version will be released. Could >> that be checked somewhere? >> >> >> >> Second question is if Nifi is impacted by this vulnerability because >> it could be that the usage of this library in Apache Nifi does not allow it >> to exploit this vulnerability. >> >> >> >> Thank you very much for any feedback and thank you to the open source >> community for having made Apache Nifi and maintaining/improving this >> product. >> >> >> >> /Tom >> >
