Jonathan, Providing guides to Pulsar users on how to build a 2.6 image rather than promoting a vendor image is much better.
- Sijie On Thu, May 27, 2021 at 12:40 PM Jonathan Ellis <jbel...@gmail.com> wrote: > Hi Sijie, > > Given the serious nature of this vulnerability, we thought it was best to > provide Apache Pulsar users with a 2.6 build as quickly as possible, in > parallel with helping out on an official 2.6.4 release. > > On Thu, May 27, 2021 at 2:24 PM Sijie Guo <guosi...@gmail.com> wrote: > >> Chris - I don't think it is appropriate to promote a vendor image here >> from >> a vendor perspective. >> >> A better approach is to point out the change has been cherry-picked to >> branch-2.6 and an ongoing discussion for getting a new bugfix release for >> branch 2.6. is out. >> >> - Sijie >> >> On Thu, May 27, 2021 at 12:15 PM Chris Bartholomew < >> chris.bartholo...@kesque.com> wrote: >> >> > For folks on Pulsar 2.6 using token-based authentication, since there >> is no >> > 2.6 version with the CVE fix yet available, you are welcome to use our >> > Pulsar Docker images which contain the fix and which we have confirmed >> > resolves the CVE: >> > >> > >> > - >> > >> > datastax/pulsar:2.6.2_1.0.1 >> > < >> > >> https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore >> > > >> > - >> > >> > datastax/pulsar-all:2.6.2_1.0.1 >> > < >> > >> https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore >> > > >> > >> > >> > The fix >> > < >> > >> https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6 >> > > >> > has been committed to branch-2.6 (by Enrico). We (DataStax) are looking >> to >> > help get an official 2.6 release out for this vulnerability fix ASAP. >> > >> > Chris >> > >> > >> > On Tue, 25 May 2021 at 09:27, PengHui Li <peng...@apache.org> wrote: >> > >> > > CVE-2021-22160 Apache Pulsar Information Disclosure >> > > >> > > Severity: High >> > > >> > > Versions Affected: >> > > Apache Pulsar < 2.7.1 >> > > >> > > Description: >> > > If Apache Pulsar is configured to authenticate clients using tokens >> > > based on JSON Web Tokens (JWT), the signature of the token is not >> > > validated if the algorithm of the presented token is set to "none". >> > > This allows an attacker to connect to Pulsar instances as any user >> > > (incl. admins). >> > > >> > > Mitigation: >> > > Users of the affected versions should apply one of the following >> > > mitigations: >> > > Upgrade to Apache Pulsar 2.7.1 or later >> > > >> > > Credit: >> > > This issue was identified by Peter Stöckli >> > > >> > >> > > > -- > Jonathan Ellis > co-founder, http://www.datastax.com > @spyced >
