Comment 1 Graham Perrin 2023-01-29 15:37:34 UTC

From the release notes: 

> [KAFKA-14320] - Upgrade Jackson for CVE fix

<https://issues.apache.org/jira/browse/KAFKA-14320> refers to <https://nvd.nist.gov/vuln/detail/CVE-2020-36518>. 

A broader list of vulnerabilities: <https://kafka.apache.org/cve-list>

Re: <https://docs.freebsd.org/en/books/porters-handbook/book/#security-notify> we should have VuXML entries. 

Thanks

Comment 2 Nuno Teixeira 2023-01-31 11:27:56 UTC

(In reply to Graham Perrin from comment #1)

Hello Graham,

I can do the vuxml entry.
Is the following info correct?
---
- Affected packages: kafka < 3.3.2

- Apache Kafka reports:

"jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects."
---

Comment 3 Fernando Apesteguía 2023-02-03 12:49:09 UTC

(In reply to Nuno Teixeira from comment #2)
Yes, thanks

Comment 4 Fernando Apesteguía 2023-02-04 19:32:36 UTC

Committed and merged to 2023Q1.

Entry to VuXML added.

Thanks!

Comment 5 commit-hook 2023-02-04 19:32:37 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=37508462426c3674c0b32cc7e8cb38dbafc2ecd5

commit 37508462426c3674c0b32cc7e8cb38dbafc2ecd5
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-02-04 19:24:09 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-02-04 19:27:58 +0000

    security/vuxml: Register net/kafka stack overflow vulnerability

    CVE-2020-36518

    PR:     269170

 security/vuxml/vuln/2023.xml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

Comment 6 Fernando Apesteguía 2023-02-04 19:33:32 UTC

Sorry, the commit is https://cgit.freebsd.org/ports/commit/?id=dbde71f335327288f1342260fba1d34f224fcdc8

Comment 7 Graham Perrin 2023-02-05 13:52:57 UTC

If I understand correctly, links out from <https://issues.apache.org/jira/browse/KAFKA-14320> show: 

a) 3.3.2 as a fixed version, where 3.3.1 was vulnerable

b) 3.4.0 as both affected and fixed, which puzzles me.

(In reply to commit-hook from comment #5)

<https://www.freshports.org/net/kafka/> shows 3.3.2 as vulnerable. Given (a) above, is this correct? 

Also puzzling: CVE-2020-36518 is not listed at <https://kafka.apache.org/cve-list>.

Comment 8 Nuno Teixeira 2023-02-05 14:08:43 UTC

(In reply to Graham Perrin from comment #7)

from https://issues.apache.org/jira/browse/KAFKA-14320

Affects Version/s: 3.2.0
Fix Version/s: 3.4.0, 3.3.2

vuxml should be fixed to:
Affected packages: kafka < 3.3.2

3.4.0 version is confusing me too.

Comment 9 Nuno Teixeira 2023-02-05 14:10:16 UTC

(In reply to Nuno Teixeira from comment #8)
(...)

also, 3.4.0 may be related to a different branch (3.4.x) and it's not present in ports tree, so affected versions should be < 3.3.2

Comment 10 Fernando Apesteguía 2023-02-05 14:42:52 UTC

Yes 3.4.x is a different branch. This problem affected several branches.
VuXML changed to 3.3.2

Graham, do not set Open to already closed PRs. That should be In Progress. Please read https://wiki.freebsd.org/Bugzilla/TriageTraining under "Basics".

Comment 11 Graham Perrin 2023-02-05 14:45:54 UTC

(In reply to Fernando Apesteguía from comment #10)

That was a slip of the finger on a trackball wheel after using the menu, sorry. 

Do we need VuXML entries for any of the other vulnerabilities?

Comment 12 Fernando Apesteguía 2023-02-05 17:24:46 UTC

(In reply to Graham Perrin from comment #11)
Ideally we would. For instance for https://nvd.nist.gov/vuln/detail/CVE-2022-34917

The thing is that we are always behind in adding vulnerabilities to VuXML.