Thank you for posting the issue to the maillist, Baoyuan. Since I created an issue last night, there have been problems with my network and I have not been able to give feedback in time.
On Fri, 31 Dec 2021 at 11:11, Baoyuan <baoyuan....@gmail.com> wrote: > Hi, notice that the relevant issue has been created[1]. > > Thanks to JunXu Chen! > > [1] https://github.com/apache/apisix-dashboard/issues/2275 > > JunXu Chen <chenju...@apache.org> 于2021年12月30日周四 14:22写道: > > > OK, let's create an issue in APISIX Dashboard repo and show how to > disable > > the two APIs and rebuild. > > > > On Thu, 30 Dec 2021 at 11:55, Zhiyuan Ju <juzhiy...@apache.org> wrote: > > > > > It's also a good idea after consideration, disabling those 2 APIs is > the > > > quickest way. If users need the OpenAPI feature, they could rebuild > > > according to build doc :) > > > > > > Junxu, could you please share the steps on how to disable and rebuild > > > manager-api? > > > > > > Best Regards! > > > @ Zhiyuan Ju <https://github.com/juzhiyuan> > > > > > > > > > Ming Wen <wenm...@apache.org> 于2021年12月30日周四 10:08写道: > > > > > > > I don’t think we need to be compatible with so many old versions. Is > > > there > > > > a quick fix guide? For example, disable these two APIs > > > > > > > > Thanks, > > > > Ming Wen, Apache APISIX PMC Chair > > > > Twitter: _WenMing > > > > > > > > > > > > Baoyuan <baoyuan....@gmail.com> 于2021年12月30日周四 10:04写道: > > > > > > > > > Hi, after confirming with JunXu Chen that the vulnerability was > > > > introduced > > > > > in version 2.7.0. > > > > > > > > > > We need to cherry-pick the fixed commit[1] to the appropriate > release > > > > > branch to re-release the fixed version. > > > > > > > > > > Affected versions are v2.9.0, v2.8, v2.7.1, these versions need to > be > > > > > released with corresponding fixes: v2.9.1, v2.8.1, v2.7.2. > > > > > > > > > > I will submit the corresponding fix PRs. > > > > > > > > > > [1] > > > > > > > > > > > > > > > > > > > > https://github.com/apache/apisix-dashboard/commit/b565f7cd090e9ee2043fbb726fbaae01737f83cd > > > > > > > > > > Zhiyuan Ju <juzhiy...@apache.org> 于2021年12月30日周四 09:13写道: > > > > > > > > > > > Hi Yuan Bao, > > > > > > > > > > > > According to this mailing list's feedbacks, we need to backport > > that > > > > fix > > > > > to > > > > > > the previous version, could you help to do that? And PMC could > help > > > you > > > > > to > > > > > > release them. > > > > > > > > > > > > Best Regards! > > > > > > @ Zhiyuan Ju <https://github.com/juzhiyuan> > > > > > > > > > > > > > > > > > > okaybase <okayb...@apache.org> 于2021年12月29日周三 22:49写道: > > > > > > > > > > > > > Support backport the fix +1 > > > > > > > This will help users to quickly improve the security of the > > > > Dashboard. > > > > > > > > > > > > > > JunXu Chen <chenju...@apache.org> 于2021年12月29日周三 20:48写道: > > > > > > > > > > > > > > > Support backport the fix +1 > > > > > > > > > > > > > > > > > > > > > > > > On Wed, 29 Dec 2021 at 17:30, Tsangleslie < > > > leslie.ts...@icloud.com > > > > > > > > .invalid> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > Agreed to backport the fix. For users using APISIX in prod > > > > > > environment, > > > > > > > > > It will be a long day to upgrade both APISIX and APISIX > > > > dashboard. > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 29 Dec 2021, at 5:16 PM, Zhiyuan Ju < > > juzhiy...@apache.org > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > I also support back port this fix to previous Dashboard, > or > > > > > > provide a > > > > > > > > > quick > > > > > > > > > > way for users to disable those 2 Unauthorized APIs > > > > > > > > > > > > > > > > > > > > Baoyuan <baoyuan....@gmail.com>于2021年12月29日 周三下午4:35写道: > > > > > > > > > > > > > > > > > > > >> Hi Community, when APISIX Dashboard users try to fix > > > > > > CVE-2021-45232, > > > > > > > > > they > > > > > > > > > >> need to upgrade Dashboard to version 2.10.1. > > > > > > > > > >> > > > > > > > > > >> Due to the Dashboard version needing to correspond to > > > APISIX, > > > > > > users > > > > > > > > will > > > > > > > > > >> also need to consider upgrading APISIX, which may cause > > > > > > > inconvenience > > > > > > > > to > > > > > > > > > >> users. > > > > > > > > > >> > > > > > > > > > >> Are we considering backporting the fixed code for this > > > > > > vulnerability > > > > > > > > to > > > > > > > > > the > > > > > > > > > >> previous affected version? What do you think? > > > > > > > > > >> > > > > > > > > > > -- > > > > > > > > > > 来自 琚致远 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
