Sorry for the delay I have just gotten approval to release the fix we made to address CVE-2023-31442 to our private fork of Akka internally at Workday.
https://github.com/apache/incubator-pekko/pull/385 I am really busy for the rest of the day but I would be happy to help combine this with any of the other PRs in this area tomorrow. Iain. [https://opengraph.githubassets.com/b691f4f22f558cdf6965618c447d0dfa6c8f6231f3489c785995d63456f442d6/apache/incubator-pekko/pull/385]<https://github.com/apache/incubator-pekko/pull/385> CVE-2023-31442 Address DNS poisoning vulnerability by IainHull ・ Pull Request #385 ・ apache/incubator-pekko<https://github.com/apache/incubator-pekko/pull/385> This also addresses a concurrency bug in the sequence generator, and verifies the question asked in the response. github.com here is the fix we made ________________________________ From: Iain Hull <[email protected]> Sent: 09 June 2023 16:18 To: [email protected] <[email protected]> Subject: Re: [External Sender] Re: recent Akka security fixes (CVEs) Hi PJ, I have an internal fix for the Akka DNS issue. I have been very careful not to look at any akka changes post 2.6. I need to get approval to make the changes public. Once I have done that I am happy to post both fixes in PRs for further discussion. Hopefully by nex week. Iain. ________________________________ From: kerr <[email protected]> Sent: 09 June 2023 04:21 To: [email protected] <[email protected]> Subject: [External Sender] Re: recent Akka security fixes (CVEs) There are some open data from https://urldefense.com/v3/__https://discuss.lightbend.com__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHBXXsS1EY$ 何品 PJ Fanning <[email protected]> 于2023年6月9日周五 05:08写道: > Hi everyone, > > We are aware of the Akka fixes [1] and are working on Pekko equivalents. > > We cannot use the Akka fixes as they are not open sourced. If anyone > wants to contribute to the related PRs, please be aware that we cannot > accept any code or comments based on the Akka changes. Any PRs > submitted to Apache projects need to be based on your own work. > > The issue with the Async DNS resolver is the most complicated to fix > [2] and will delay the Pekko Core RC1 by a week or two. > > If anyone finds other security related issues in Akka or Pekko should > ideally report them to the Apache Security team and not disclose the > issue publicly (see policy [3]). We will notify the Akka team, just in > case the issue was only reported to us. > > Thanks, > PJ > > > [1] > https://urldefense.com/v3/__https://akka.io/security/__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHBmTyEihs$ > [2] > https://urldefense.com/v3/__https://github.com/apache/incubator-pekko/pull/371__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHB1I1ofvU$ > [3] > https://urldefense.com/v3/__https://www.apache.org/security/__;!!Iz9xO38YGHZK!7VxmpJg_jjHEHL5QdAXDEgqzycnCrYlEWbkaPqpqL9T_UUt9o5p5jeUjj0AXLAeXcrpi-ZBZQzHB7DqMjq4$ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
