-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Kotlib Lib to 1.6.10, to address https://nvd.nist.gov/vuln/detail/CVE-2022-24329 #14579
Conversation
@codelipenghui this is a new reported CVE. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
org.jetbrains.kotlin-kotlin-stdlib-1.6.10.jar unaccounted for in LICENSE
org.jetbrains.kotlin-kotlin-stdlib-common-1.6.10.jar unaccounted for in LICENSE
org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.6.10.jar unaccounted for in LICENSE
org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.6.10.jar unaccounted for in LICENSE
org.jetbrains.kotlin-kotlin-stdlib-1.4.32.jar mentioned in LICENSE, but not bundled
org.jetbrains.kotlin-kotlin-stdlib-common-1.4.32.jar mentioned in LICENSE, but not bundled
org.jetbrains.kotlin-kotlin-stdlib-jdk7-1.4.32.jar mentioned in LICENSE, but not bundled
org.jetbrains.kotlin-kotlin-stdlib-jdk8-1.4.32.jar mentioned in LICENSE, but not bundled
@eolivelli you have to update LICENSE files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The main concern is possible breaking changes. Kotlin stdlib was introduced in #13065 . It's a transitive dependency of OkHttp3 / Okio libraries. Has anyone checked Kotlin release notes whether it's fine to replace Kotlin stdlib 1.4.x with 1.6.x ? |
@lhotari I totally share your point. In any case we don't have any other possibility (it looks like the 1.4 branch is not very active and Kotlin moved forward with 2 major releases). So I suggest to commit this patch as soon as possible, this way we will have time to see regressions when people use master branch for testing. |
OkHttp3 is used by the io.kubernetes:client-java library that is used by the Pulsar Functions Kubenetes Runtime. We don't have much tests for that in Pulsar CI. That's why I suggested checking Kotlin release notes to find out whether it's fine to replace Kotlin stdlib 1.4.x with 1.6.x . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the Kotlin changelog. It's honestly complex to predict issues due to the upgrade.
The cve is rated as medium, with a 5.0 score.
I would prefer to to add an exclusion for now instead of committing the upgrade without proper testing. And then upgrade Kotlin at the same time we will upgrade Okio and OkHttp3.
Note that we have to cherry-pick this change to 2.9 branch also.
I agree with @nicoloboschi |
Motivation
OWASP checker reports this vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2022-24329
Modifications
Update Kotlib Lib to 1.6.10, to address https://nvd.nist.gov/vuln/detail/CVE-2022-24329
Verifying this change