[Bug] Upgrade shaded org.asynchttpclient:async-http-client <3.0.1 due to CVE

[gergelyfabian]

Search before asking

• I searched in the issues and found nothing similar.

Read release policy

• I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

Version

pulsar-client:3.3.2

Minimal reproduce step

pulsar-client has a dependence on async-http-client in a version (2.12.1) that has a critical CVE:

GHSA-mfj5-cf8g-g2fv

What did you expect to see?

I'd like to be able to use pulsar-client without any critical/high CVEs included.

What did you see instead?

A critical CVE is detected when I use pulsar-client.

Anything else?

No response

Are you willing to submit a PR?

• I'm willing to submit a PR!

[lhotari]

@gergelyfabian CVE-2024-53990 has been updated. The vulnerability is also addressed in async-http-client 2.12.4 . This was upgraded in #23732 . An additional mitigation was made in #23725 to disable the use of cookies for usages of async-http-client in Pulsar.

This fix will be available in Pulsar 3.0.9 and Pulsar 4.0.2 clients. Pulsar 3.3.4 is not planned since Pulsar 3.3.x is not supported any more. The support period ended on December 5th. The community could decide on the dev-mailing list to do additional releases.

Pulsar 3.0.9 and Pulsar 4.0.2 will be released after the holidays. ETA around January 10th, 2025. There's more details in this dev-mailing list thread: https://lists.apache.org/thread/p9tofhkdczr4p48wc6v86145zwb5blb2 . Potential plans for extending Pulsar 3.3.x could be shared in that thread if that would happen.

I'll close this issue.