Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23848: Alluxio 2.7.3 Release | Alluxio

In Alluxio before 2.7.3, the logserver does not validate the input stream. NOTE: this is not the same as the CVE-2021-44228 Log4j vulnerability.

CVE
Open in Source
#vulnerability#web#kubernetes

We are excited to announce the release of Alluxio 2.7.3! This is an edge release for Alluxio open source on top of Alluxio 2.7.2, with a variety of bug fixes, documentation, and improvements.

HIGHLIGHTS

Addressed some memory leaks & crashes involving RocksDB

Areas of the codebase utilizing classes from the RocksDB library were updated to properly handle memory management (918e739).

Updated package dependencies to address security vulnerabilities

  • Update hadoop dependencies (af1e33e)
  • Bump gson version (dd017dc)
  • Update protobuf version (176152c)(1e234dd)
  • Update kubernetes packages (7d2f142)
  • Update jersey version (2f3dffe)
  • Update guava to fix some CVEs (fcb0b4c)
  • Upgrade log4j to 2.17.1 (a25b0ca)
  • Address CVE-2022-23848 (44d591b)(221f0ed)

IMPROVEMENTS

  • Add worker startup timeout property key (067e9d4)
  • Add stacks page in worker web UI (fa54b1b)
  • Support statfs for jnifuse (d3e231a)
  • Support web server/metrics sink in standby masters (a10823a)
  • Support Alluxio allowed Fuse truncates (4c8b555)
  • Add LoadTableCommand (f645405)
  • Support build ozone 1.2.1, remove shaded-ozone module (8993e46)
  • Make the checkConsistency command check more cases (20a7f4e)
  • Make recursive options consistent in the filesystem shell (99e76a8)

BUG FIXES

  • Fix the bug which load metadata failed when the path is special (ea1cdc5)
  • Fix Hub + k8s issues due to bad formatting and missing log4j.properties (f49dc8b)
  • Fix metrics Worker.ActiveClients counter error (85ac996)
  • Fix argument in alluxio-fuse unmount when argument has trailing slash (85ac996)
  • Fix wrong method call to get username and wrong parameter assignment (afe74e0)
  • Fix the concurrent read/write in Fuse.open(READ_WRITE) (bb37aa8)
  • Fix journal dumper not work (3cb47b4)
  • Fix a NPE error when running test (7f164c8)
  • Fix incorrect calc of cacheHitRatio (80cbd8d)

ACKNOWLEDGEMENTS

We want to thank the community for their valuable contributions to the Alluxio 2.7.3 release. Especially, we would like to thank:

Baolong Mao, Haoning Sun, Kevin Cai, ljl1988com, qian0817, striverpan, Xi Chen, Yaolong Liu

Enjoy the new release and look forward to hearing your feedback on our community slack channel.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE