Il giorno gio 3 ott 2024 alle ore 22:59 Lari Hotari <lhot...@apache.org> ha scritto:
> Dear Pulsar Community, > > There's a critical 9.3/10 level RCE vulnerability in Avro Java SDK > <1.11.4, CVE-2024-47561. > More details can be found in these resources: > - https://github.com/advisories/GHSA-r7pg-v2c8-mfg3 > - https://nvd.nist.gov/vuln/detail/CVE-2024-47561 > - https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x > > In Pulsar, there's a PR under review to upgrade Avro to 1.11.4: > https://github.com/apache/pulsar/pull/23394 > > I suggest that we start preparations for expedited Pulsar 3.0.7 and > 3.3.2 releases due to this critical vulnerability. I can volunteer to > handle these releases as a release manager. > > Further coordination of these releases and discussions about possible > mitigations will be on the d...@pulsar.apache.org mailing list. I have > also sent this message to the users@pulsar.apache.org list. Mailing > list archives and joining instructions for the dev mailing list can be > found at https://pulsar.apache.org/contact/. > Thanks for driving this Enrico > > -Lari >
