Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[fix][sec] Bump async-http-client to 2.12.4 to address CVE-2024-53990 #23731

Closed
wants to merge 3 commits into from
Closed

[fix][sec] Bump async-http-client to 2.12.4 to address CVE-2024-53990 #23731

wants to merge 3 commits into from

Conversation

Shawyeok
Copy link
Contributor

@Shawyeok Shawyeok commented Dec 16, 2024
edited
Loading

Motivation

Get rid of CVE-2024-53990, eliminates CVE-2024-53990 completely from pulsar dependencies, you could see more context at: https://lists.apache.org/thread/fpg465pxytqkxbs57h7p3mckn9dwh3zq

Modifications

  • Upgrade async-http-client to 2.12.4

Verifying this change

  • Make sure that the change passes the CI checks.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository: Shawyeok#21

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Dec 16, 2024
@lhotari
Copy link
Member

lhotari commented Dec 16, 2024

@Shawyeok I've been handling this CVE and didn't notice your PR. There's actually more work to do in addressing dependency changes. I'm closing this PR in favor of #23732 where I've addressed the change from com.sun.activation:javax.activation to com.sun.activation:jakarta.activation.

@lhotari lhotari closed this Dec 16, 2024
@Shawyeok
Copy link
Contributor Author

@Shawyeok I've been handling this CVE and didn't notice your PR. There's actually more work to do in addressing dependency changes. I'm closing this PR in favor of #23732 where I've addressed the change from com.sun.activation:javax.activation to com.sun.activation:jakarta.activation.

ok, cool.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
doc-not-needed Your PR changes do not impact docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Shawyeok @lhotari