Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snakeyaml version should be updated to mitigate CVE-2022-28857 #4383

Closed
karthickm512 opened this issue Sep 5, 2022 · 6 comments · Fixed by #4387
Closed

Snakeyaml version should be updated to mitigate CVE-2022-28857 #4383

karthickm512 opened this issue Sep 5, 2022 · 6 comments · Fixed by #4387
Assignees
@manusa
Labels
security Pull requests that address a security vulnerability
Milestone
5.12.4

Comments

@karthickm512
Copy link

Describe the bug

Snakeyaml is impacted by DoS vulnerability as described in CVE-2022-25857 and fabric8 kubernetes-client uses the impacted version of snakeyaml. It should be updated to latest 1.31.

Fabric8 Kubernetes Client version

6.1.1

Steps to reproduce

Check the pom file for version :)

Expected behavior

Stepup the dependent 3pp version

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.23

Environment

Linux

Fabric8 Kubernetes Client Logs

No response

Additional context

No response
@karthickm512
Copy link
Author

@manusa

@manusa manusa self-assigned this Sep 5, 2022
@manusa manusa added security Pull requests that address a security vulnerability 5.12.x Backportable tentative labels Sep 5, 2022
@manusa manusa mentioned this issue Sep 5, 2022
Merged
11 tasks
@jeesmon
Copy link

jeesmon commented Sep 15, 2022

@manusa Will this fix be backported to 5.12 branch? Thanks.

@manusa
Copy link
Member

manusa commented Sep 16, 2022

@manusa Will this fix be backported to 5.12 branch? Thanks.

Yes, it should be

@manusa manusa mentioned this issue Sep 16, 2022
Merged
11 tasks
@manusa manusa added this to the 5.12.4 milestone Sep 28, 2022
@manusa manusa removed the 5.12.x Backportable tentative label Sep 28, 2022
@bjornjorgensen bjornjorgensen mentioned this issue Oct 22, 2022
Closed
HyukjinKwon pushed a commit to apache/spark that referenced this issue Oct 24, 2022
@bjornjorgensen @HyukjinKwon
[SPARK-40884][BUILD] Upgrade fabric8io - kubernetes-client to 6.2.0
02a2242 
### What changes were proposed in this pull request?
Upgrade fabric8io - kubernetes-client from 6.1.1 to 6.2.0

### Why are the changes needed?

[Release notes](https://github.com/fabric8io/kubernetes-client/releases/tag/v6.2.0)
[Snakeyaml version should be updated to mitigate CVE-2022-28857](fabric8io/kubernetes-client#4383)

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
Pass GA

Closes #38348 from bjornjorgensen/kubernetes-client6.2.0.

Authored-by: Bjørn <bjornjorgensen@gmail.com>
Signed-off-by: Hyukjin Kwon <gurwls223@apache.org>
This was referenced Nov 14, 2022
Closed
Closed
Closed
Closed
Closed
SandishKumarHN pushed a commit to SandishKumarHN/spark that referenced this issue Dec 12, 2022
@bjornjorgensen @SandishKumarHN
[SPARK-40884][BUILD] Upgrade fabric8io - kubernetes-client to 6.2.0
b7caf88 
### What changes were proposed in this pull request?
Upgrade fabric8io - kubernetes-client from 6.1.1 to 6.2.0

### Why are the changes needed?

[Release notes](https://github.com/fabric8io/kubernetes-client/releases/tag/v6.2.0)
[Snakeyaml version should be updated to mitigate CVE-2022-28857](fabric8io/kubernetes-client#4383)

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
Pass GA

Closes apache#38348 from bjornjorgensen/kubernetes-client6.2.0.

Authored-by: Bjørn <bjornjorgensen@gmail.com>
Signed-off-by: Hyukjin Kwon <gurwls223@apache.org>
@asomov
Copy link
Contributor

asomov commented Jan 11, 2023

@manusa this is not fixed. Together with the version upgrade, the API should be configured with a setting (which is introduced in the release)

@manusa manusa reopened this Jan 11, 2023
@asomov
Copy link
Contributor

asomov commented Jan 11, 2023

@manusa we may address it here

@manusa
Copy link
Member

manusa commented Feb 9, 2023

Superseded by #4754, fixed in #4836 (#4753)

@manusa manusa closed this as completed Feb 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@manusa manusa

Labels
security Pull requests that address a security vulnerability
Projects
None yet
Milestone
5.12.4
Development

Successfully merging a pull request may close this issue.

chore(deps): bump snakeyaml from 1.30 to 1.31 manusa/kubernetes-client
4 participants
@manusa @asomov @jeesmon @karthickm512