Chris - I don't think it is appropriate to promote a vendor image here from a vendor perspective.
A better approach is to point out the change has been cherry-picked to branch-2.6 and an ongoing discussion for getting a new bugfix release for branch 2.6. is out. - Sijie On Thu, May 27, 2021 at 12:15 PM Chris Bartholomew < chris.bartholo...@kesque.com> wrote: > For folks on Pulsar 2.6 using token-based authentication, since there is no > 2.6 version with the CVE fix yet available, you are welcome to use our > Pulsar Docker images which contain the fix and which we have confirmed > resolves the CVE: > > > - > > datastax/pulsar:2.6.2_1.0.1 > < > https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore > > > - > > datastax/pulsar-all:2.6.2_1.0.1 > < > https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore > > > > > The fix > < > https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6 > > > has been committed to branch-2.6 (by Enrico). We (DataStax) are looking to > help get an official 2.6 release out for this vulnerability fix ASAP. > > Chris > > > On Tue, 25 May 2021 at 09:27, PengHui Li <peng...@apache.org> wrote: > > > CVE-2021-22160 Apache Pulsar Information Disclosure > > > > Severity: High > > > > Versions Affected: > > Apache Pulsar < 2.7.1 > > > > Description: > > If Apache Pulsar is configured to authenticate clients using tokens > > based on JSON Web Tokens (JWT), the signature of the token is not > > validated if the algorithm of the presented token is set to "none". > > This allows an attacker to connect to Pulsar instances as any user > > (incl. admins). > > > > Mitigation: > > Users of the affected versions should apply one of the following > > mitigations: > > Upgrade to Apache Pulsar 2.7.1 or later > > > > Credit: > > This issue was identified by Peter Stöckli > > >
