Hi PJ, I have an internal fix for the Akka DNS issue. I have been very careful not to look at any akka changes post 2.6. I need to get approval to make the changes public. Once I have done that I am happy to post both fixes in PRs for further discussion. Hopefully by nex week.
Iain. ________________________________ From: kerr <[email protected]> Sent: 09 June 2023 04:21 To: [email protected] <[email protected]> Subject: [External Sender] Re: recent Akka security fixes (CVEs) There are some open data from https://urldefense.com/v3/__https://discuss.lightbend.com__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHBXXsS1EY$ 何品 PJ Fanning <[email protected]> 于2023年6月9日周五 05:08写道: > Hi everyone, > > We are aware of the Akka fixes [1] and are working on Pekko equivalents. > > We cannot use the Akka fixes as they are not open sourced. If anyone > wants to contribute to the related PRs, please be aware that we cannot > accept any code or comments based on the Akka changes. Any PRs > submitted to Apache projects need to be based on your own work. > > The issue with the Async DNS resolver is the most complicated to fix > [2] and will delay the Pekko Core RC1 by a week or two. > > If anyone finds other security related issues in Akka or Pekko should > ideally report them to the Apache Security team and not disclose the > issue publicly (see policy [3]). We will notify the Akka team, just in > case the issue was only reported to us. > > Thanks, > PJ > > > [1] > https://urldefense.com/v3/__https://akka.io/security/__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHBmTyEihs$ > [2] > https://urldefense.com/v3/__https://github.com/apache/incubator-pekko/pull/371__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHB1I1ofvU$ > [3] > https://urldefense.com/v3/__https://www.apache.org/security/__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHB7DqMjq4$ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
