-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snakeyaml version should be updated to mitigate CVE-2022-28857 #4383
Comments
manusa
added
security
Pull requests that address a security vulnerability
5.12.x
Backportable tentative
labels
Sep 5, 2022
11 tasks
Repository owner
moved this from Review
to Done
in Eclipse JKube
Sep 5, 2022
@manusa Will this fix be backported to 5.12 branch? Thanks. |
Yes, it should be |
11 tasks
HyukjinKwon
pushed a commit
to apache/spark
that referenced
this issue
Oct 24, 2022
### What changes were proposed in this pull request? Upgrade fabric8io - kubernetes-client from 6.1.1 to 6.2.0 ### Why are the changes needed? [Release notes](https://github.com/fabric8io/kubernetes-client/releases/tag/v6.2.0) [Snakeyaml version should be updated to mitigate CVE-2022-28857](fabric8io/kubernetes-client#4383) ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA Closes #38348 from bjornjorgensen/kubernetes-client6.2.0. Authored-by: Bjørn <[email protected]> Signed-off-by: Hyukjin Kwon <[email protected]>
This was referenced Nov 14, 2022
SandishKumarHN
pushed a commit
to SandishKumarHN/spark
that referenced
this issue
Dec 12, 2022
### What changes were proposed in this pull request? Upgrade fabric8io - kubernetes-client from 6.1.1 to 6.2.0 ### Why are the changes needed? [Release notes](https://github.com/fabric8io/kubernetes-client/releases/tag/v6.2.0) [Snakeyaml version should be updated to mitigate CVE-2022-28857](fabric8io/kubernetes-client#4383) ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA Closes apache#38348 from bjornjorgensen/kubernetes-client6.2.0. Authored-by: Bjørn <[email protected]> Signed-off-by: Hyukjin Kwon <[email protected]>
@manusa this is not fixed. Together with the version upgrade, the API should be configured with a setting (which is introduced in the release) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Snakeyaml is impacted by DoS vulnerability as described in CVE-2022-25857 and fabric8 kubernetes-client uses the impacted version of snakeyaml. It should be updated to latest 1.31.
Fabric8 Kubernetes Client version
6.1.1
Steps to reproduce
Check the pom file for version :)
Expected behavior
Stepup the dependent 3pp version
Runtime
Kubernetes (vanilla)
Kubernetes API Server version
1.23
Environment
Linux
Fabric8 Kubernetes Client Logs
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: