Hi Sahil,
Please have a look at the dependencies for Kafka 3.5.1:
https://github.com/apache/kafka/blob/3.5.1/gradle/dependencies.gradle
and compare it with your list of CVEs.
Please also have a look here: https://kafka.apache.org/project-security
If you discover a security issue please follow the instructions on that
page and engage to resolve the security issue.
Best,
Bruno
On 7/26/23 6:20 AM, Sahil Sharma D wrote:
> Hi Kamal,
>
> Shall we consider CVEs mentioned in mail trail are fixed in v3.5.1?
>
> We are unable to find the CVEs in Jira as suggested earlier.
>
> Regards,
> Sahil
>
> -----Original Message-----
> From: Kamal Chandraprakash <kamal.chandraprakash@gmail.com>
> Sent: 26 July 2023 09:42 AM
> To: users@kafka.apache.org
> Subject: Re: Release plan required for version 3.5.1
>
> Hi Sahil,
>
> Apache Kafka 3.5.1 is already released: https://kafka.apache.org/downloads
>
> On Wed, Jul 26, 2023 at 9:08 AM Sahil Sharma D <sahil.d.sharma@ericsson.com.invalid> wrote:
>
>> Gentle reminder-2
>>
>> -----Original Message-----
>> From: Sahil Sharma D
>> Sent: 12 July 2023 09:51 AM
>> To: users@kafka.apache.org
>> Subject: RE: Release plan required for version 3.5.1
>>
>> Gentle reminder!
>>
>> -----Original Message-----
>> From: Sahil Sharma D
>> Sent: 03 July 2023 04:39 PM
>> To: users@kafka.apache.org
>> Subject: RE: Release plan required for version 3.5.1
>>
>> Hi,
>>
>> That means below vulnerabilities are not appliable for kafka, right?
>> CVE-2022-42003
>> CVE-2022-42004
>> CVE-2023-34454
>> CVE-2023-34453
>> CVE-2023-35116
>>
>> Regards,
>> Sahil
>>
>> -----Original Message-----
>> From: Josep Prat <josep.prat@aiven.io.INVALID>
>> Sent: 03 July 2023 02:02 PM
>> To: users@kafka.apache.org
>> Subject: Re: Release plan required for version 3.5.1
>>
>> Hi Sahil,
>> Thanks for caring about Apache Kafka's security. One can fix this
>> situation by replacing the affected jar file with the one containing
>> the fix for the vulnerabilities. We plan to add a write up under
>> Apache Kafka's CVE page.
>> Mind that Apache Kafka doesn't typically do emergency releases for
>> CVEs discovered in their dependencies unless affectation in Kafka
>> itself is major.
>>
>> That being said, if you take a look at the `dev` mailing list, you'll
>> see that a maintainer already volunteered to be the release manager for 3.5.1:
>> https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
>> If you want to be up-to-date with the release plan of 3.5.1 (contents,
>> estimated timings and such) please check the `dev` mailing list as
>> this information is usually shared there. The `user` mailing list
>> usually gets notified when release candidates or new versions are created.
>>
>> Best,
>>
>> On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D
>> <sahil.d.sharma@ericsson.com.invalid>
>> wrote:
>>
>>> Gentle reminder!
>>>
>>> From: Sahil Sharma D
>>> Sent: 26 June 2023 08:18 PM
>>> To: users@kafka.apache.org
>>> Subject: Release plan required for version 3.5.1
>>> Importance: High
>>>
>>> Hi Team,
>>>
>>> There is an vulnerability on snappy-java-1.1.8.4.jar, are we
>>> impacted due to this if we are using only client jar and kafka server.
>>>
>>> Below are the vulnerabilities that still open and we unable to find
>>> any detail of these CVEs on jira. In which version these CVEs are
>>> planned to be resolved?
>>> CVE-2022-42003
>>> CVE-2022-42004
>>> CVE-2023-34454
>>> CVE-2023-34453
>>> CVE-2023-35116
>>>
>>> Kindly share the release plan for version 3.5.1.
>>>
>>> Regards,
>>> Sahil
>>>
>>
>>
>> --
>> [image: Aiven] <
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
>> 5555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
>> https%3A%2F%2Fwww.aiven.io%2F
>>>
>>
>> *Josep Prat*
>> Open Source Engineering Director, *Aiven*
>> josep.prat@aiven.io | +491715557497
>> aiven.io <
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
>> | <
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
>> 5555731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
>> https%3A%2F%2Fwww.facebook.com%2Faivencloud
>>>
>> <https://www.linkedin.com/company/aiven/> <
>> https://twitter.com/aiven_io>
>> *Aiven Deutschland GmbH*
>> Alexanderufer 3-7, 10117 Berlin
>> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht
>> Charlottenburg, HRB 209739 B
>>
>>
>
Please have a look at the dependencies for Kafka 3.5.1:
https://github.com/apache/kafka/blob/3.5.1/gradle/dependencies.gradle
and compare it with your list of CVEs.
Please also have a look here: https://kafka.apache.org/project-security
If you discover a security issue please follow the instructions on that
page and engage to resolve the security issue.
Best,
Bruno
On 7/26/23 6:20 AM, Sahil Sharma D wrote:
> Hi Kamal,
>
> Shall we consider CVEs mentioned in mail trail are fixed in v3.5.1?
>
> We are unable to find the CVEs in Jira as suggested earlier.
>
> Regards,
> Sahil
>
> -----Original Message-----
> From: Kamal Chandraprakash <kamal.chandraprakash@gmail.com>
> Sent: 26 July 2023 09:42 AM
> To: users@kafka.apache.org
> Subject: Re: Release plan required for version 3.5.1
>
> Hi Sahil,
>
> Apache Kafka 3.5.1 is already released: https://kafka.apache.org/downloads
>
> On Wed, Jul 26, 2023 at 9:08 AM Sahil Sharma D <sahil.d.sharma@ericsson.com.invalid> wrote:
>
>> Gentle reminder-2
>>
>> -----Original Message-----
>> From: Sahil Sharma D
>> Sent: 12 July 2023 09:51 AM
>> To: users@kafka.apache.org
>> Subject: RE: Release plan required for version 3.5.1
>>
>> Gentle reminder!
>>
>> -----Original Message-----
>> From: Sahil Sharma D
>> Sent: 03 July 2023 04:39 PM
>> To: users@kafka.apache.org
>> Subject: RE: Release plan required for version 3.5.1
>>
>> Hi,
>>
>> That means below vulnerabilities are not appliable for kafka, right?
>> CVE-2022-42003
>> CVE-2022-42004
>> CVE-2023-34454
>> CVE-2023-34453
>> CVE-2023-35116
>>
>> Regards,
>> Sahil
>>
>> -----Original Message-----
>> From: Josep Prat <josep.prat@aiven.io.INVALID>
>> Sent: 03 July 2023 02:02 PM
>> To: users@kafka.apache.org
>> Subject: Re: Release plan required for version 3.5.1
>>
>> Hi Sahil,
>> Thanks for caring about Apache Kafka's security. One can fix this
>> situation by replacing the affected jar file with the one containing
>> the fix for the vulnerabilities. We plan to add a write up under
>> Apache Kafka's CVE page.
>> Mind that Apache Kafka doesn't typically do emergency releases for
>> CVEs discovered in their dependencies unless affectation in Kafka
>> itself is major.
>>
>> That being said, if you take a look at the `dev` mailing list, you'll
>> see that a maintainer already volunteered to be the release manager for 3.5.1:
>> https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
>> If you want to be up-to-date with the release plan of 3.5.1 (contents,
>> estimated timings and such) please check the `dev` mailing list as
>> this information is usually shared there. The `user` mailing list
>> usually gets notified when release candidates or new versions are created.
>>
>> Best,
>>
>> On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D
>> <sahil.d.sharma@ericsson.com.invalid>
>> wrote:
>>
>>> Gentle reminder!
>>>
>>> From: Sahil Sharma D
>>> Sent: 26 June 2023 08:18 PM
>>> To: users@kafka.apache.org
>>> Subject: Release plan required for version 3.5.1
>>> Importance: High
>>>
>>> Hi Team,
>>>
>>> There is an vulnerability on snappy-java-1.1.8.4.jar, are we
>>> impacted due to this if we are using only client jar and kafka server.
>>>
>>> Below are the vulnerabilities that still open and we unable to find
>>> any detail of these CVEs on jira. In which version these CVEs are
>>> planned to be resolved?
>>> CVE-2022-42003
>>> CVE-2022-42004
>>> CVE-2023-34454
>>> CVE-2023-34453
>>> CVE-2023-35116
>>>
>>> Kindly share the release plan for version 3.5.1.
>>>
>>> Regards,
>>> Sahil
>>>
>>
>>
>> --
>> [image: Aiven] <
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
>> 5555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
>> https%3A%2F%2Fwww.aiven.io%2F
>>>
>>
>> *Josep Prat*
>> Open Source Engineering Director, *Aiven*
>> josep.prat@aiven.io | +491715557497
>> aiven.io <
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
>> | <
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
>> 5555731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
>> https%3A%2F%2Fwww.facebook.com%2Faivencloud
>>>
>> <https://www.linkedin.com/company/aiven/> <
>> https://twitter.com/aiven_io>
>> *Aiven Deutschland GmbH*
>> Alexanderufer 3-7, 10117 Berlin
>> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht
>> Charlottenburg, HRB 209739 B
>>
>>
>
Comments
Post a Comment