Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snakeyaml version should be updated to mitigate CVE-2022-28857 #4383

Closed
karthickm512 opened this issue Sep 5, 2022 · 6 comments · Fixed by #4387
Closed

Snakeyaml version should be updated to mitigate CVE-2022-28857 #4383

karthickm512 opened this issue Sep 5, 2022 · 6 comments · Fixed by #4387
Assignees
Labels
security Pull requests that address a security vulnerability
Milestone

Comments

@karthickm512
Copy link

Describe the bug

Snakeyaml is impacted by DoS vulnerability as described in CVE-2022-25857 and fabric8 kubernetes-client uses the impacted version of snakeyaml. It should be updated to latest 1.31.

Fabric8 Kubernetes Client version

6.1.1

Steps to reproduce

Check the pom file for version :)

Expected behavior

Stepup the dependent 3pp version

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.23

Environment

Linux

Fabric8 Kubernetes Client Logs

No response

Additional context

No response

@karthickm512
Copy link
Author

@manusa

@manusa manusa self-assigned this Sep 5, 2022
@manusa manusa added security Pull requests that address a security vulnerability 5.12.x Backportable tentative labels Sep 5, 2022
@manusa manusa moved this to Review in Eclipse JKube Sep 5, 2022
Repository owner moved this from Review to Done in Eclipse JKube Sep 5, 2022
@jeesmon
Copy link

jeesmon commented Sep 15, 2022

@manusa Will this fix be backported to 5.12 branch? Thanks.

@manusa
Copy link
Member

manusa commented Sep 16, 2022

@manusa Will this fix be backported to 5.12 branch? Thanks.

Yes, it should be

@manusa manusa added this to the 5.12.4 milestone Sep 28, 2022
@manusa manusa removed the 5.12.x Backportable tentative label Sep 28, 2022
HyukjinKwon pushed a commit to apache/spark that referenced this issue Oct 24, 2022
### What changes were proposed in this pull request?
Upgrade fabric8io - kubernetes-client from 6.1.1 to 6.2.0

### Why are the changes needed?

[Release notes](https://github.com/fabric8io/kubernetes-client/releases/tag/v6.2.0)
[Snakeyaml version should be updated to mitigate CVE-2022-28857](fabric8io/kubernetes-client#4383)

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
Pass GA

Closes #38348 from bjornjorgensen/kubernetes-client6.2.0.

Authored-by: Bjørn <[email protected]>
Signed-off-by: Hyukjin Kwon <[email protected]>
SandishKumarHN pushed a commit to SandishKumarHN/spark that referenced this issue Dec 12, 2022
### What changes were proposed in this pull request?
Upgrade fabric8io - kubernetes-client from 6.1.1 to 6.2.0

### Why are the changes needed?

[Release notes](https://github.com/fabric8io/kubernetes-client/releases/tag/v6.2.0)
[Snakeyaml version should be updated to mitigate CVE-2022-28857](fabric8io/kubernetes-client#4383)

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
Pass GA

Closes apache#38348 from bjornjorgensen/kubernetes-client6.2.0.

Authored-by: Bjørn <[email protected]>
Signed-off-by: Hyukjin Kwon <[email protected]>
@asomov
Copy link
Contributor

asomov commented Jan 11, 2023

@manusa this is not fixed. Together with the version upgrade, the API should be configured with a setting (which is introduced in the release)

@manusa manusa reopened this Jan 11, 2023
@manusa manusa moved this from Done to Planned in Eclipse JKube Jan 11, 2023
@asomov
Copy link
Contributor

asomov commented Jan 11, 2023

@manusa we may address it here

@manusa
Copy link
Member

manusa commented Feb 9, 2023

Superseded by #4754, fixed in #4836 (#4753)

@manusa manusa closed this as completed Feb 9, 2023
@github-project-automation github-project-automation bot moved this from Planned to Done in Eclipse JKube Feb 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants