Skip to content

[fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990 #23732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lhotari merged 3 commits into from
Dec 16, 2024
Merged

[fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990 #23732

lhotari merged 3 commits into from
Dec 16, 2024

Conversation

@lhotari
Copy link
Member

@lhotari lhotari commented Dec 16, 2024
edited
Loading

Motivation

Upgrade to async-http-client 2.12.4 which contains a fix for CVE-2024-53990. See https://lists.apache.org/thread/fpg465pxytqkxbs57h7p3mckn9dwh3zq for more details.

Modifications

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari added this to the 4.1.0 milestone Dec 16, 2024
@lhotari lhotari self-assigned this Dec 16, 2024
@lhotari lhotari changed the title [fix][sec] Upgrade async-http-client to 2.12.4 [fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990 Dec 16, 2024
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Dec 16, 2024
This was referenced Dec 16, 2024
Closed
Closed
@codecov-commenter
Copy link

codecov-commenter commented Dec 16, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.40%. Comparing base (bbc6224) to head (3d87803).
Report is 794 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #23732      +/-   ##
============================================
+ Coverage     73.57%   74.40%   +0.83%     
- Complexity    32624    35097    +2473     
============================================
  Files          1877     1945      +68     
  Lines        139502   147510    +8008     
  Branches      15299    16280     +981     
============================================
+ Hits         102638   109761    +7123     
- Misses        28908    29273     +365     
- Partials       7956     8476     +520
Flag Coverage Δ
inttests 27.27% <ø> (+2.68%) ⬆️
systests 24.35% <ø> (+0.02%) ⬆️
unittests 73.80% <ø> (+0.95%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 675 files with indirect coverage changes

@lhotari lhotari merged commit 9a7269a into apache:master Dec 16, 2024
52 of 53 checks passed
lhotari added a commit that referenced this pull request Dec 16, 2024
@lhotari
[fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990
c49a2e5 
 (#23732)

(cherry picked from commit 9a7269a)
lhotari added a commit that referenced this pull request Dec 16, 2024
@lhotari
[fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990
1fa459d 
 (#23732)

(cherry picked from commit 9a7269a)
lhotari added a commit that referenced this pull request Dec 16, 2024
@lhotari
[fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990
9c04964 
 (#23732)

(cherry picked from commit 9a7269a)
@lhotari lhotari mentioned this pull request Dec 18, 2024
Closed
3 tasks
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 19, 2024
@lhotari @nikhil-ctds
[fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990
a149570 
 (apache#23732)

(cherry picked from commit 9a7269a)
(cherry picked from commit 9c04964)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 23, 2024
@lhotari @srinath-ctds
[fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990
41eb828 
 (apache#23732)

(cherry picked from commit 9a7269a)
(cherry picked from commit 9c04964)
@lhotari
Copy link
Member Author

lhotari commented Jan 17, 2025

The releases are in-progress to include this fix. Ongoing vote threads:
Release Apache Pulsar 3.0.9 based on 3.0.9-candidate-2
Release Apache Pulsar 3.3.4 based on 3.3.4-candidate-2
Release Apache Pulsar 4.0.2 based on 4.0.2-candidate-3

hanmz pushed a commit to hanmz/pulsar that referenced this pull request Feb 12, 2025
@lhotari @hanmz
[fix][sec] Upgrade async-http-client to 2.12.4 to address CVE-2024-53990
1d4b40f 
 (apache#23732)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nodece nodece nodece approved these changes

@dao-jun dao-jun dao-jun approved these changes

@merlimat merlimat Awaiting requested review from merlimat

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

Assignees

@lhotari lhotari

Labels

cherry-picked/branch-3.0 cherry-picked/branch-3.3 cherry-picked/branch-4.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.9 release/3.3.4 release/4.0.2

Projects

None yet

Milestone

4.1.0

Development

Successfully merging this pull request may close these issues.

4 participants

@lhotari @codecov-commenter @nodece @dao-jun