Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVEs fixes, October 22 #2711

Closed
Haarolean opened this issue Oct 7, 2022 · 8 comments · Fixed by #2926 or #2929
Closed

CVEs fixes, October 22 #2711

Haarolean opened this issue Oct 7, 2022 · 8 comments · Fixed by #2926 or #2929
Assignees
@Haarolean @vrnsky
Labels
good first issue Up for grabs scope/backend status/accepted An issue which has passed triage and has been accepted type/security Pull requests that address a security vulnerability
Projects
Up for grabs Release 0.5
Milestone
0.5

Comments

@Haarolean
Copy link
Contributor

https://github.com/provectus/kafka-ui/actions/runs/3058781951/jobs/4935377778
Bump snakeyaml deps
@Haarolean Haarolean added good first issue Up for grabs scope/backend type/security Pull requests that address a security vulnerability status/accepted An issue which has passed triage and has been accepted hacktoberfest labels Oct 7, 2022
@Haarolean Haarolean added this to Beginner in Up for grabs Oct 7, 2022
@github-actions github-actions bot added the status/triage Issues pending maintainers triage label Oct 7, 2022
@royca
Copy link

royca commented Oct 9, 2022

Can I work on this and raise a PR ?

@Haarolean
Copy link
Contributor Author

Haarolean commented Oct 9, 2022 via email
edited

@Haarolean Haarolean removed the status/triage Issues pending maintainers triage label Oct 11, 2022
@vrnsky
Copy link
Contributor

vrnsky commented Oct 21, 2022

@royca If you don't mind I would like to work on this since there has been no PR or any discussion for 12 days
@Haarolean please assign to me this issue if it possible

@Haarolean Haarolean assigned vrnsky and unassigned royca Oct 21, 2022
@Haarolean Haarolean added this to To do in Release 0.5 via automation Oct 21, 2022
@Haarolean Haarolean added this to the 0.5 milestone Oct 21, 2022
vrnsky pushed a commit to vrnsky/kafka-ui that referenced this issue Oct 23, 2022
provectus#2711. Update dependencies according to CVE report
3737de0
vrnsky pushed a commit to vrnsky/kafka-ui that referenced this issue Oct 24, 2022
Issue provectus#2711, update version of dependencies
6616b19
vrnsky pushed a commit to vrnsky/kafka-ui that referenced this issue Oct 24, 2022
provectus#2711. Some fixes after CVE scanning
61a601a
@Haarolean Haarolean moved this from To do to In progress in Release 0.5 Oct 26, 2022
@Haarolean Haarolean self-assigned this Nov 11, 2022
@Haarolean Haarolean linked a pull request Nov 11, 2022 that will close this issue
Fix CVEs, Nov. 2022 #2926
Merged
13 tasks
@Haarolean
Copy link
Contributor Author

A fix for
CVE-2022-31690
CVE-2022-31692
New dependency unavailable yet, waiting for a spring boot 2.7.6.

Fixes for:
CVE-2022-3171
CVE-2022-36944
GHSA-h4h5-3hr4-j3g2
are unavailable yet, blame/wait for confluent

Snake yaml CVEs:
CVE-2022-25857
CVE-2022-38749
CVE-2022-38750
CVE-2022-38751
CVE-2022-38752

are false positives.

Others have been fixed within #2926

Release 0.5 automation moved this from In progress to Done Nov 14, 2022
@Haarolean Haarolean reopened this Nov 14, 2022
Release 0.5 automation moved this from Done to In progress Nov 14, 2022
@Haarolean Haarolean linked a pull request Nov 14, 2022 that will close this issue
Centralize dependency versions and bump where necessary #2929
Merged
13 tasks
@joschi joschi mentioned this issue Nov 14, 2022
Merged
13 tasks
Release 0.5 automation moved this from In progress to Done Nov 15, 2022
@Subrhamanya
Copy link

@Haarolean I could see snakeyaml CVEs are false positive. Is it? I could see the issues created

Here is an example
https://bitbucket.org/snakeyaml/snakeyaml/issues/525 and they have been resolved.

So, is it possible to provide snakeyaml version 1.33 in 2.7.x version?

@Haarolean
Copy link
Contributor Author

@Subrhamanya yes they are according to this thread.
Anyway, we've bumped some dependencies once again and now we have a newer transitive snakeyaml version.

@Subrhamanya
Copy link

Does that mean 2.7.6 version of spring-boot will have snakeyaml version 1.33?

@Haarolean
Copy link
Contributor Author

Does that mean 2.7.6 version of spring-boot will have snakeyaml version 1.33?

AFAIK, yes.

@Haarolean Haarolean moved this from Beginner to Done in Up for grabs Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Haarolean Haarolean

@vrnsky vrnsky

Labels
good first issue Up for grabs scope/backend status/accepted An issue which has passed triage and has been accepted type/security Pull requests that address a security vulnerability
Projects
Up for grabs
Done
Release 0.5
Done
Milestone
0.5
4 participants
@Haarolean @royca @vrnsky @Subrhamanya