-
Notifications
You must be signed in to change notification settings - Fork 906
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerabilities in the apache/bookkeeper-4.9.2 image #2387
Comments
Even though, for Java, the upgraded version is mentioned as 8u241, it is better to to upgrade to the latest Java 8 security patch available. |
In my opinion it is time to switch to JDK11 for 4.12.0 |
@eolivelli +1 from me. Although we also need to consider that Pulsar is using JDK8. |
+1 |
Pravega also supports Java 8 as of now. Switching to Java 11 looks good to me, as long as it also continues to work with Java 8. |
It would be really helpful if anyone could provide an update on this issue. |
In my opinion we should work in these areas:
@nicoloboschi @Ghatage @mino181295 do you have time to pick up this items ? dependency upgrade / docker image upgrades |
I am trying to upgrade to JDK11 here #2433 |
@eolivelli The requirement for netty is to be at 4.1.44-Final at the least. Same with jackson-databind dependency. Also what do you recommend for logging? We use SLF4J over log4j, and even the latest SLF4J is lagging behind at 1.7.30. I couldn't find the change log for the release either. |
I am not sure we are going to cut new releases out of branch-4.9. Btw if there is an interest in making this update let's do it. |
Descriptions of the changes in this PR: - Update "master" docker image to BK 4.11.0 - Update to OpenJDK11 the main Docker image and the Docker image used for integration tests - We are not using "JRE" because it does not bundle jshell and our script detects the presence of JDK11+ from the presence of file "jshell" Master Issue: #2387 Reviewers: Ravi Sharda <None>, Jia Zhai <zhaijia@apache.org> This closes #2433 from eolivelli/fix/test-jdk11-upgrade-docker
Descriptions of the changes in this PR: - Update "master" docker image to BK 4.11.0 - Update to OpenJDK11 the main Docker image and the Docker image used for integration tests - We are not using "JRE" because it does not bundle jshell and our script detects the presence of JDK11+ from the presence of file "jshell" Master Issue: #2387 Reviewers: Ravi Sharda <None>, Jia Zhai <zhaijia@apache.org> This closes #2433 from eolivelli/fix/test-jdk11-upgrade-docker (cherry picked from commit 83dec6e) Signed-off-by: Enrico Olivelli <eolivelli@apache.org>
would it be possible to remove the usage of log4j v1? - it is end-of-life and has numerous security issues that will not be fixed |
#2816 seems to sort out log4j - but the latest official release (4.14.4) still has log4jv1 dependency (via slf4j-log4j12) - so maybe a new release is justified |
@pjfanning I think we have already remove |
BUG REPORT
A security scanner has reported the following CVEs in the apache/bookkeeper:4.9.2 image.
https://logging.apache.org/log4j/1.2/index.html
https://github.com/netty/netty/milestone/218?closed=1
https://github.com/netty/netty/milestone/218?closed=1
https://bugzilla.redhat.com/show_bug.cgi?id=1730477
https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
https://access.redhat.com/errata/RHSA-2019:2030
https://access.redhat.com/errata/RHSA-2019:1587
https://access.redhat.com/errata/RHSA-2020:1131
https://access.redhat.com/errata/RHSA-2019:2030
https://access.redhat.com/errata/RHSA-2019:2030
https://access.redhat.com/errata/RHSA-2020:1176
https://access.redhat.com/errata/RHSA-2019:2197
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
FasterXML/jackson-databind#2387
FasterXML/jackson-databind#2410
FasterXML/jackson-databind#2462
FasterXML/jackson-databind#2469
FasterXML/jackson-databind#2478
FasterXML/jackson-databind#2478
FasterXML/jackson-databind#2478
FasterXML/jackson-databind#2460
FasterXML/jackson-databind#2498
FasterXML/jackson-databind#2526
FasterXML/jackson-databind#2620
https://access.redhat.com/errata/RHSA-2019:2091
https://access.redhat.com/errata/RHSA-2019:2091
Steps to reproduce the behavior:
Expected behavior
The scanner should not report any vulnerabilities, that are already fixed.
Screenshots
NA
Additional context
NA
The text was updated successfully, but these errors were encountered: