Hi Sijie, Given the serious nature of this vulnerability, we thought it was best to provide Apache Pulsar users with a 2.6 build as quickly as possible, in parallel with helping out on an official 2.6.4 release.
On Thu, May 27, 2021 at 2:24 PM Sijie Guo <guosi...@gmail.com> wrote: > Chris - I don't think it is appropriate to promote a vendor image here from > a vendor perspective. > > A better approach is to point out the change has been cherry-picked to > branch-2.6 and an ongoing discussion for getting a new bugfix release for > branch 2.6. is out. > > - Sijie > > On Thu, May 27, 2021 at 12:15 PM Chris Bartholomew < > chris.bartholo...@kesque.com> wrote: > > > For folks on Pulsar 2.6 using token-based authentication, since there is > no > > 2.6 version with the CVE fix yet available, you are welcome to use our > > Pulsar Docker images which contain the fix and which we have confirmed > > resolves the CVE: > > > > > > - > > > > datastax/pulsar:2.6.2_1.0.1 > > < > > > https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore > > > > > - > > > > datastax/pulsar-all:2.6.2_1.0.1 > > < > > > https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore > > > > > > > > > The fix > > < > > > https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6 > > > > > has been committed to branch-2.6 (by Enrico). We (DataStax) are looking > to > > help get an official 2.6 release out for this vulnerability fix ASAP. > > > > Chris > > > > > > On Tue, 25 May 2021 at 09:27, PengHui Li <peng...@apache.org> wrote: > > > > > CVE-2021-22160 Apache Pulsar Information Disclosure > > > > > > Severity: High > > > > > > Versions Affected: > > > Apache Pulsar < 2.7.1 > > > > > > Description: > > > If Apache Pulsar is configured to authenticate clients using tokens > > > based on JSON Web Tokens (JWT), the signature of the token is not > > > validated if the algorithm of the presented token is set to "none". > > > This allows an attacker to connect to Pulsar instances as any user > > > (incl. admins). > > > > > > Mitigation: > > > Users of the affected versions should apply one of the following > > > mitigations: > > > Upgrade to Apache Pulsar 2.7.1 or later > > > > > > Credit: > > > This issue was identified by Peter Stöckli > > > > > > -- Jonathan Ellis co-founder, http://www.datastax.com @spyced
