Re: [DISCUSS] Expediting Pulsar releases 3.0.7 and 3.3.2 due to critical RCE vulnerability in Avro Java SDK <1.11.4, CVE-2024-47561

Michael Marshall Fri, 04 Oct 2024 06:12:47 -0700

Thank you, Lari. I support the rushed timeline so our users can upgrade
sooner.


- Michael

On Fri, Oct 4, 2024 at 7:21 AM Lari Hotari <lhot...@apache.org> wrote:

> I have triggered Pulsar CI builds for the pulsar-ci [1] and
> pulsar-ci-flaky [2] workflows for `branch-3.0` and `branch-3.3`. I'll
> proceed with the release process [3] for 3.0.7 and 3.3.2 once there are
> successful build results from the Pulsar CI builds.
>
> The release vote will be handled in an expedited manner on the dev mailing
> list, in a vote thread.
>
> Due to the criticality of the security vulnerability, I'm suggesting that
> we proceed with releasing the artifacts once there are 3 positive binding
> votes following the ASF Release Policy, with an one hour minimum voting
> period. The 72 hour minimum voting period in the ASF Release Policy is not
> a mandatory release approval requirement [4].
>
> -Lari
>
> 1 - https://github.com/apache/pulsar/actions/workflows/pulsar-ci.yaml
> 2 -
> https://github.com/apache/pulsar/actions/workflows/pulsar-ci-flaky.yaml
> 3 - https://pulsar.apache.org/contribute/release-process/
> 4 - https://www.apache.org/legal/release-policy.html#release-approval
>
> On 2024/10/03 20:58:43 Lari Hotari wrote:
> > Dear Pulsar Community,
> >
> > There's a critical 9.3/10 level RCE vulnerability in Avro Java SDK
> > <1.11.4, CVE-2024-47561.
> > More details can be found in these resources:
> > - https://github.com/advisories/GHSA-r7pg-v2c8-mfg3
> > - https://nvd.nist.gov/vuln/detail/CVE-2024-47561
> > - https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x
> >
> > In Pulsar, there's a PR under review to upgrade Avro to 1.11.4:
> > https://github.com/apache/pulsar/pull/23394
> >
> > I suggest that we start preparations for expedited Pulsar 3.0.7 and
> > 3.3.2 releases due to this critical vulnerability. I can volunteer to
> > handle these releases as a release manager.
> >
> > Further coordination of these releases and discussions about possible
> > mitigations will be on the dev@pulsar.apache.org mailing list. I have
> > also sent this message to the us...@pulsar.apache.org list. Mailing
> > list archives and joining instructions for the dev mailing list can be
> > found at https://pulsar.apache.org/contact/.
> >
> > -Lari
> >
>

Re: [DISCUSS] Expediting Pulsar releases 3.0.7 and 3.3.2 due to critical RCE vulnerability in Avro Java SDK <1.11.4, CVE-2024-47561

Reply via email to