I've created https://github.com/apache/pulsar/issues/23341 to track the work to address CVE-2024-7254 .
-Lari On 2024/09/23 11:56:50 Lari Hotari wrote: > Protobuf contains a new high-level CVE, described in > https://github.com/advisories/GHSA-735f-pc8j-v9w8. > > The problem in Pulsar is that Protobuf cannot be upgraded unless it's first > upgraded in Bookkeeper. I have made a PR to the Bookkeeper master branch: > https://github.com/apache/bookkeeper/pull/4508. We also need to address the > maintenance branches branch-4.17 and branch-4.16. The Protobuf version also > impacts the gRPC version, so it's not a simple problem to solve, especially > with the required releases for Bookkeeper. > > Another problem with Pulsar is that clients also use Protobuf, and > protoc-generated stubs could break (and usually do) when the version is > upgraded. The issue is described here: > https://github.com/apache/pulsar/issues/22263. > > This is a release blocker now since CVE-2023-32732 is categorized with high > severity, and we need to find a solution to the above problems. > > -Lari > > On 2023/12/14 18:47:53 Lari Hotari wrote: > > Hi all, > > > > I have started a thread on d...@bookkeeper.apache.org about gRPC & Protobuf > > library upgrades. > > > > You can follow and contribute to the discussion on this thread: > > https://lists.apache.org/thread/odg7p617zwqjngq6fk6qf8xfzbfwgfgq > > > > Looking forward to your valuable input. > > > > -Lari > > >
