Protobuf contains a new high-level CVE, described in https://github.com/advisories/GHSA-735f-pc8j-v9w8.
The problem in Pulsar is that Protobuf cannot be upgraded unless it's first upgraded in Bookkeeper. I have made a PR to the Bookkeeper master branch: https://github.com/apache/bookkeeper/pull/4508. We also need to address the maintenance branches branch-4.17 and branch-4.16. The Protobuf version also impacts the gRPC version, so it's not a simple problem to solve, especially with the required releases for Bookkeeper. Another problem with Pulsar is that clients also use Protobuf, and protoc-generated stubs could break (and usually do) when the version is upgraded. The issue is described here: https://github.com/apache/pulsar/issues/22263. This is a release blocker now since CVE-2023-32732 is categorized with high severity, and we need to find a solution to the above problems. -Lari On 2023/12/14 18:47:53 Lari Hotari wrote: > Hi all, > > I have started a thread on d...@bookkeeper.apache.org about gRPC & Protobuf > library upgrades. > > You can follow and contribute to the discussion on this thread: > https://lists.apache.org/thread/odg7p617zwqjngq6fk6qf8xfzbfwgfgq > > Looking forward to your valuable input. > > -Lari >
