Hi I am using zipkin-server. <a class="issue-link

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

CVE-2023-46604 support for zipkin-server about zipkin HOT 7 CLOSED

0yukkey0 commented on August 23, 2024

CVE-2023-46604 support for zipkin-server

from zipkin.

Comments (7)

codefromthecrypt commented on August 23, 2024

thanks for raising the issue. All CVEs that can be easily remedied will be done in the next few days and cut as a patch release.

Meanwhile, I'm trying to get a better understanding of current users. What configuration of zipkin do you run? Feel free to reply here or on gitter https://app.gitter.im/#/room/#openzipkin_zipkin:gitter.im

from zipkin.

0yukkey0 commented on August 23, 2024

@codefromthecrypt

Thanks for the reply.
I understand that it will be fixed soon. Looking forward to it.

I am also using the zipkin-server jar on the server where the SpringBoot application is deployed.

from zipkin.

codefromthecrypt commented on August 23, 2024

can you verify the master build addresses this CVE and also mention how you are validating CVEs?

from zipkin.

0yukkey0 commented on August 23, 2024

We use a service called Snyk to verify vulnerabilities.

We detected this when verifying with Snyk against the bundled spring boot and zipkin.
We checked the contents of the zipkin jar and found that it was a CVE-unsupported version.

from zipkin.

codefromthecrypt commented on August 23, 2024

ok thanks. are you able to test the current 2.24.4-SNAPSHOT (master) version prior to release?

from zipkin.

0yukkey0 commented on August 23, 2024

I saw the PR for the version update. Thanks.

I also confirmed that the version of the library contained in the jar created by building the master locally is updated.
Also, the snapshot version of the jar cleared the snyk check.

from zipkin.

codefromthecrypt commented on August 23, 2024

thanks for the help and attention! we'll release a patch tomorrow.

from zipkin.

Recommend Projects