Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[improve] Upgrade wildfly-elytron (used by debezium) to fix CVE-2022-3143 #19333

Merged
merged 5 commits into from
Feb 4, 2023
Merged

[improve] Upgrade wildfly-elytron (used by debezium) to fix CVE-2022-3143 #19333

merged 5 commits into from
Feb 4, 2023

Conversation

dlg99
Copy link
Contributor

@dlg99 dlg99 commented Jan 27, 2023

Motivation

OWASP detects CVE-2022-3143

Modifications

Upgraded wildfly-eytron (used by debezium) to fix CVE-2022-3143
Upgraded OWASP checker plugin (mainly to pick up version that uses hosted suppressions file to deal with well known false positives).

Verifying this change

  • Make sure that the change passes the CI checks.

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository: dlg99#9

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jan 27, 2023
nicoloboschi
nicoloboschi reviewed Jan 27, 2023
View reviewed changes
pulsar-io/debezium/oracle/pom.xml Outdated
@@ -31,6 +31,41 @@
<name>Pulsar IO :: Debezium :: oracle</name>

<dependencies>
<dependency>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should add those in the section

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

didn't get it, in what section?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @nicoloboschi means that these should be in dependencyManagement section. I agree.
Please define these in a dependencyManagement section of pulsar-io/debezium/pom.xml file.

@dlg99 dlg99 requested review from dave2wave and eolivelli January 27, 2023 22:25
@Technoboy- Technoboy- added this to the 2.12.0 milestone Jan 28, 2023
dave2wave
dave2wave approved these changes Jan 28, 2023
View reviewed changes
Copy link
Member

@dave2wave dave2wave left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to push through these types of upgrades. If our testing framework isn;t sufficient then upgrade that!

lhotari
lhotari requested changes Feb 3, 2023
View reviewed changes
pulsar-io/debezium/oracle/pom.xml Outdated
@@ -31,6 +31,41 @@
<name>Pulsar IO :: Debezium :: oracle</name>

<dependencies>
<dependency>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think @nicoloboschi means that these should be in dependencyManagement section. I agree.
Please define these in a dependencyManagement section of pulsar-io/debezium/pom.xml file.

@lhotari lhotari merged commit 71dafe8 into apache:master Feb 4, 2023
nicoloboschi pushed a commit to datastax/pulsar that referenced this pull request Feb 15, 2023
@dlg99 @nicoloboschi
[improve] Upgrade wildfly-eytron (used by debezium) to fix CVE-2022-3143
b100071 
 (apache#19333)

(cherry picked from commit 71dafe8)
liangyepianzhou pushed a commit that referenced this pull request Feb 26, 2023
@dlg99 @liangyepianzhou
[improve] Upgrade wildfly-eytron (used by debezium) to fix CVE-2022-3143
2c591ae 
 (#19333)

(cherry picked from commit 71dafe8)
coderzc pushed a commit that referenced this pull request Feb 28, 2023
@dlg99 @coderzc
[improve] Upgrade wildfly-eytron (used by debezium) to fix CVE-2022-3143
49b678b 
 (#19333)

(cherry picked from commit 71dafe8)
@coderzc coderzc added the cherry-picked/branch-2.9 Archived: 2.9 is end of life label Feb 28, 2023
Annavar-satish pushed a commit to pandio-com/pulsar that referenced this pull request Mar 6, 2023
@dlg99
[improve] Upgrade wildfly-eytron (used by debezium) to fix CVE-2022-3143
bd84221 
 (apache#19333)

(cherry picked from commit 71dafe8)
@momo-jun momo-jun changed the title [improve] Upgrade wildfly-eytron (used by debezium) to fix CVE-2022-3143 [improve] Upgrade wildfly-elytron (used by debezium) to fix CVE-2022-3143 Apr 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicoloboschi nicoloboschi nicoloboschi left review comments

@lhotari lhotari lhotari approved these changes

@dave2wave dave2wave dave2wave approved these changes

@eolivelli eolivelli Awaiting requested review from eolivelli

Assignees
No one assigned
Labels
cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.9.5 release/2.10.4 release/2.11.1
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.
7 participants
@dlg99 @lhotari @nicoloboschi @dave2wave @Technoboy- @coderzc @liangyepianzhou