Hi team, I started working on this patch. I think we need to upgrade the main version of Jetty because all of the 9.4-based versions have CVE problems. See here: https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server. We should upgrade Jetty to 11.0.15, which is the latest version. For this, we need quite a few code changes. Jetty 10+ does not support Java8 https://www.eclipse.org/jetty/download.php, perhaps we should drop the java8 support?
Regards, Villo On Fri, May 26, 2023 at 8:43 AM Andor Molnar <an...@apache.org> wrote: > Owasp build reported the following: > > [ERROR] jackson-core-2.13.4.jar: CVE-2022-45688(7.5) > [ERROR] jetty-io-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE-2023- > 26049(5.3) > [ERROR] jetty-server-9.4.49.v20220914.jar: CVE-2023-26048(5.3), CVE- > 2023-26049(5.3) > > Thanks Ben for letting us now. Would you please kindly update the Jira > with the listed CVEs and the affected version (3.8.1)? > > We'll check if these CVEs should be fixed on ZooKeeper side and if > needed, you should expect a new release from the 3.8.x branch, since > it's an active release branch. > > Andor > > > > On Fri, 2023-05-26 at 08:33 +0200, Andor Molnar wrote: > > Hi Ben, > > > > Let me check this. > > I triggered an owasp check build on Apache CI: > > > https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/job/branch-3.8.1/7/ > > > > Btw, Enrico, we're still having both 3.8.0 and 3.8.1 releases on the > > web page as separate release lines. Would you mind if I submit a > > change > > to the webpage to remove 3.8.0? > > > > Not sure who I talked about it, it was long time ago. > > > > Regards, > > Andor > > > > > > > > > > On Thu, 2023-05-18 at 17:54 +0000, Ben Johnston wrote: > > > > version of zookeeper we are using is 3.8.0 > > > > > > The latest zookeeper release is 3.8.1 ( > > > https://github.com/apache/zookeeper/releases/tag/release-3.8.1) > > > that > > > included a number of bugfixes, probably some that are in your list > > > > > > The 3.8.1 does have a medium and low CVE that are on the jetty > > > server. CVE-2023-26048 and CVE-2023-26049. When might the team do a > > > release to do security fixes? > > > > > > Thanks, > > > > > > Ben Johnston, GCIH, GCFA, GPEN > > > Application Security Engineer > > > COFENSE > > > o. 785-250-4412 > > > e. ben.johns...@cofense.com > > > > > > Connect with Cofense: > > > > > > > > > > > > > > > > > > From: Dilip anand (Jira) <j...@apache.org> > > > Date: Tuesday, May 16, 2023 at 11:34 AM > > > To: dev@zookeeper.apache.org <dev@zookeeper.apache.org> > > > Subject: [jira] [Created] (ZOOKEEPER-4696) Update for Zookeeper > > > latest version > > > > > > External Email > > > > > > Dilip anand created ZOOKEEPER-4696: > > > -------------------------------------- > > > > > > Summary: Update for Zookeeper latest version > > > Key: ZOOKEEPER-4696 > > > URL: > > > https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > > > Project: ZooKeeper > > > Issue Type: Bug > > > Reporter: Dilip anand > > > > > > > > > Hi team, > > > > > > We ran a scan for security vulnerability fixes,we have seen > > > CVE's that are affected for zookeeper and version of zookeeper we > > > are > > > using is 3.8.0 .Here are the CVE's which are affected with > > > zookeeper > > > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE- > > > 2022- > > > 22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE- > > > 2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023- > > > 23916 which do not have any reports in red hat website. we want to > > > know what version of zookeeper will clear these CVEs and when it'll > > > be released? > > > > > > Regards, > > > Dilip > > > > > > > > > > > > -- > > > This message was sent by Atlassian Jira > > > (v8.20.10#820010) > >
