Skip to main content

Posts

Re: FW: Kafka new version info with vulnerabilities fixes

Hi Vivek, On June 25th, Apache Kafka 4.3.1 was released and is available for use Of the CVEs you mentioned: Kafka Core - CVE-2026-41115 -> Fixed in 4.3.1 (documentation update) OpenTelemetry - CVE-2026-39882 -> seems to refer to opentelemetry-go and we use opentelemetry-proto only - CVE-2026-41078 -> seems to refer to opentelemetry-dotnet, we use opentelemetry-proto only - CVE-2026-40894 -> seems to refer to opentelemetry-dotnet, we use opentelemetry-proto only - CVE-2026-44967 -> seems to refer to opentelemetry-c++, we use opentelemetry-proto only JLine - GHSA-2r2c-cx56-8933 -> seems to refer to JLine-telnet. We don't use this submodule - GHSA-47qp-hqvx-6r3f -> seems to refer to JLine-telnet. We don't use this submodule - XRAY-1005950 and XRAY-1005951 -> these appear to be JFrog Xray internal database identifiers rather than CVEs, so we can't look them up publicly. Could you share the affected component and version fr...

FW: Kafka new version info with vulnerabilities fixes

Hello Team, Could you please confirm the plan to release a new Kafka version that includes fixes for vulnerabilities identified primarily in transient dependencies such as Jackson, JLine, OpenTelemetry and a few others? These are detected in kafka v4.3.0. Below is the list of identified vulnerabilities for reference: Kafka core CVE-2026-41115 OpenTelemetry CVE-2026-39882 CVE-2026-41078 CVE-2026-40894 CVE-2026-44967 JLine GHSA-2r2c-cx56-8933 GHSA-47qp-hqvx-6r3f XRAY-1005950 XRAY-1005951 Jackson - CVE-2026-54512 CVE-2026-54513 CVE-2026-54514 CVE-2026-54515 CVE-2026-54516 CVE-2026-54517 CVE-2026-54518 Regards Vivek

Kafka new version info with vulnerabilities fixes

Hello Team, Could you please confirm the plan to release a new Kafka version that includes fixes for vulnerabilities identified primarily in transient dependencies such as Jackson, JLine, OpenTelemetry and a few others? These are detected in kafka v4.3.0. Below is the list of identified vulnerabilities for reference: Kafka core CVE-2026-41115 OpenTelemetry CVE-2026-39882 CVE-2026-41078 CVE-2026-40894 CVE-2026-44967 JLine GHSA-2r2c-cx56-8933 GHSA-47qp-hqvx-6r3f XRAY-1005950 XRAY-1005951 Jackson - CVE-2026-54512 CVE-2026-54513 CVE-2026-54514 CVE-2026-54515 CVE-2026-54516 CVE-2026-54517 CVE-2026-54518 Regards Vivek

topic offset increases at restart of cluster

Hi I have run into a strange behaviour. I have a topic that has retention.ms and segment.ms set to one week. Hasn't been any traffic there for a long time, more than a week. So the logfile was empty. Name och the old logfile was 00000000000000069531.log. We have a job that checks the offset and fetches latest records if there are any, latest record fetched had offset 69530. So that indicates that no records had actually been added to the partition. Shortly after the restart, due to a operator upgrade, of the cluster the file got swiped and a new one created. [LocalLog partition=o01.qdpo01.qto01hah-1, dir=/var/lib/kafka/data/kafka-log1/o01.qdpo01.qto01hah-1] Rolled new log segment at offset 69532 in 1 ms. And also: [UnifiedLog partition=o01.qdpo01.qto01hah-1, dir=/var/lib/kafka/data/kafka-log1] Deleting segment LogSegment(baseOffset=69531, size=3819, lastModifiedTime=1783335231543, largestRecordTimestamp=0) due to log retention time 604800000ms breach based on the lar...

Re: Share consumer in Kafka 4.1.0

hi Soby Did you set the internal config group.share.enable=true? That is another switch that allows us to test the share protocol quickly. Best, Chia-Ping On 2025/09/04 20:09:12 Soby Chacko wrote: > Hi, > > When using the Kafka 4.0.0 client, we could enable shared consumers by > providing the following properties in an embedded Kafka environment. > > For example, > > "unstable.api.versions.enable=true", > "group.coordinator.rebalance.protocols=classic,share", > "share.coordinator.state.topic.replication.factor=1", > "share.coordinator.state.topic.min.isr=1" > > When upgrading to Kafka 4.1.0, the same tests work with just the last > two properties. Is that expected? (Basically, I don't need to set > unstable.api.versions.enable or group.coordinator.rebalance.protocols > in 4.1.0). > > The documentation shows something like setting share.version to 1 >...

Re: Kafka connect timestamp header serialization issue of Midnight UTC Timestamps

hi Vinayak thanks for your report. Yes, it is definitely an issue. I have opened https://issues.apache.org/jira/browse/KAFKA-20752 and my team is going to fix it. If you have free cycles, please feel free to take it over. Best, Chia-Ping On 2026/01/02 13:59:05 Vinayak Gaikwad wrote: > Hi team, > > Can anyone provide any suggestions on this issue? > > On Sun, Nov 30, 2025 at 12:29 PM Vinayak Gaikwad < > gaikwadvinayak291@gmail.com> wrote: > > > Hi, > > I am encountering an issue with how timestamp headers are serialized in > > Kafka Connect and would appreciate clarification on whether this is the > > intended behavior or a bug. > > > > Problem: Incorrect Serialization of Midnight UTC Timestamps > > When using connectors that produce timestamp headers (e.g., the MongoDB > > source connector), timestamps that fall exactly at midnight UTC are being > > serialized incorrectly, losi...

Re: [ANNOUNCE] Apache Kafka 4.3.1

Thanks to Bill Bejeck for running the release! Bill Bejeck <bbejeck@apache.org> 於 2026年6月26日週五 上午1:08寫道: > The Apache Kafka community is pleased to announce the release for > Apache Kafka 4.3.1 > > This bug-fix release includes several critical fixes as documented in the > release notes. > > All of the changes in this release can be found in the release notes: > https://www.apache.org/dist/kafka/4.3.1/RELEASE_NOTES.html > > You can download the source and binary release from: > https://kafka.apache.org/downloads#4.3.1 > > > --------------------------------------------------------------------------------------------------- > > > Apache Kafka is a distributed streaming platform with four core APIs: > > > ** The Producer API allows an application to publish a stream of records to > one or more Kafka topics. > > ** The Consumer API allows an application to subscribe to one or more > t...