Hi Kamal,
Shall we consider CVEs mentioned in mail trail are fixed in v3.5.1?
We are unable to find the CVEs in Jira as suggested earlier.
Regards,
Sahil
-----Original Message-----
From: Kamal Chandraprakash <kamal.chandraprakash@gmail.com>
Sent: 26 July 2023 09:42 AM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1
Hi Sahil,
Apache Kafka 3.5.1 is already released: https://kafka.apache.org/downloads
On Wed, Jul 26, 2023 at 9:08 AM Sahil Sharma D <sahil.d.sharma@ericsson.com.invalid> wrote:
> Gentle reminder-2
>
> -----Original Message-----
> From: Sahil Sharma D
> Sent: 12 July 2023 09:51 AM
> To: users@kafka.apache.org
> Subject: RE: Release plan required for version 3.5.1
>
> Gentle reminder!
>
> -----Original Message-----
> From: Sahil Sharma D
> Sent: 03 July 2023 04:39 PM
> To: users@kafka.apache.org
> Subject: RE: Release plan required for version 3.5.1
>
> Hi,
>
> That means below vulnerabilities are not appliable for kafka, right?
> CVE-2022-42003
> CVE-2022-42004
> CVE-2023-34454
> CVE-2023-34453
> CVE-2023-35116
>
> Regards,
> Sahil
>
> -----Original Message-----
> From: Josep Prat <josep.prat@aiven.io.INVALID>
> Sent: 03 July 2023 02:02 PM
> To: users@kafka.apache.org
> Subject: Re: Release plan required for version 3.5.1
>
> Hi Sahil,
> Thanks for caring about Apache Kafka's security. One can fix this
> situation by replacing the affected jar file with the one containing
> the fix for the vulnerabilities. We plan to add a write up under
> Apache Kafka's CVE page.
> Mind that Apache Kafka doesn't typically do emergency releases for
> CVEs discovered in their dependencies unless affectation in Kafka
> itself is major.
>
> That being said, if you take a look at the `dev` mailing list, you'll
> see that a maintainer already volunteered to be the release manager for 3.5.1:
> https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
> If you want to be up-to-date with the release plan of 3.5.1 (contents,
> estimated timings and such) please check the `dev` mailing list as
> this information is usually shared there. The `user` mailing list
> usually gets notified when release candidates or new versions are created.
>
> Best,
>
> On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D
> <sahil.d.sharma@ericsson.com.invalid>
> wrote:
>
> > Gentle reminder!
> >
> > From: Sahil Sharma D
> > Sent: 26 June 2023 08:18 PM
> > To: users@kafka.apache.org
> > Subject: Release plan required for version 3.5.1
> > Importance: High
> >
> > Hi Team,
> >
> > There is an vulnerability on snappy-java-1.1.8.4.jar, are we
> > impacted due to this if we are using only client jar and kafka server.
> >
> > Below are the vulnerabilities that still open and we unable to find
> > any detail of these CVEs on jira. In which version these CVEs are
> > planned to be resolved?
> > CVE-2022-42003
> > CVE-2022-42004
> > CVE-2023-34454
> > CVE-2023-34453
> > CVE-2023-35116
> >
> > Kindly share the release plan for version 3.5.1.
> >
> > Regards,
> > Sahil
> >
>
>
> --
> [image: Aiven] <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
> 5555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
> https%3A%2F%2Fwww.aiven.io%2F
> >
>
> *Josep Prat*
> Open Source Engineering Director, *Aiven*
> josep.prat@aiven.io | +491715557497
> aiven.io <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
> | <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
> 5555731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
> https%3A%2F%2Fwww.facebook.com%2Faivencloud
> >
> <https://www.linkedin.com/company/aiven/> <
> https://twitter.com/aiven_io>
> *Aiven Deutschland GmbH*
> Alexanderufer 3-7, 10117 Berlin
> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht
> Charlottenburg, HRB 209739 B
>
>
Shall we consider CVEs mentioned in mail trail are fixed in v3.5.1?
We are unable to find the CVEs in Jira as suggested earlier.
Regards,
Sahil
-----Original Message-----
From: Kamal Chandraprakash <kamal.chandraprakash@gmail.com>
Sent: 26 July 2023 09:42 AM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1
Hi Sahil,
Apache Kafka 3.5.1 is already released: https://kafka.apache.org/downloads
On Wed, Jul 26, 2023 at 9:08 AM Sahil Sharma D <sahil.d.sharma@ericsson.com.invalid> wrote:
> Gentle reminder-2
>
> -----Original Message-----
> From: Sahil Sharma D
> Sent: 12 July 2023 09:51 AM
> To: users@kafka.apache.org
> Subject: RE: Release plan required for version 3.5.1
>
> Gentle reminder!
>
> -----Original Message-----
> From: Sahil Sharma D
> Sent: 03 July 2023 04:39 PM
> To: users@kafka.apache.org
> Subject: RE: Release plan required for version 3.5.1
>
> Hi,
>
> That means below vulnerabilities are not appliable for kafka, right?
> CVE-2022-42003
> CVE-2022-42004
> CVE-2023-34454
> CVE-2023-34453
> CVE-2023-35116
>
> Regards,
> Sahil
>
> -----Original Message-----
> From: Josep Prat <josep.prat@aiven.io.INVALID>
> Sent: 03 July 2023 02:02 PM
> To: users@kafka.apache.org
> Subject: Re: Release plan required for version 3.5.1
>
> Hi Sahil,
> Thanks for caring about Apache Kafka's security. One can fix this
> situation by replacing the affected jar file with the one containing
> the fix for the vulnerabilities. We plan to add a write up under
> Apache Kafka's CVE page.
> Mind that Apache Kafka doesn't typically do emergency releases for
> CVEs discovered in their dependencies unless affectation in Kafka
> itself is major.
>
> That being said, if you take a look at the `dev` mailing list, you'll
> see that a maintainer already volunteered to be the release manager for 3.5.1:
> https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
> If you want to be up-to-date with the release plan of 3.5.1 (contents,
> estimated timings and such) please check the `dev` mailing list as
> this information is usually shared there. The `user` mailing list
> usually gets notified when release candidates or new versions are created.
>
> Best,
>
> On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D
> <sahil.d.sharma@ericsson.com.invalid>
> wrote:
>
> > Gentle reminder!
> >
> > From: Sahil Sharma D
> > Sent: 26 June 2023 08:18 PM
> > To: users@kafka.apache.org
> > Subject: Release plan required for version 3.5.1
> > Importance: High
> >
> > Hi Team,
> >
> > There is an vulnerability on snappy-java-1.1.8.4.jar, are we
> > impacted due to this if we are using only client jar and kafka server.
> >
> > Below are the vulnerabilities that still open and we unable to find
> > any detail of these CVEs on jira. In which version these CVEs are
> > planned to be resolved?
> > CVE-2022-42003
> > CVE-2022-42004
> > CVE-2023-34454
> > CVE-2023-34453
> > CVE-2023-35116
> >
> > Kindly share the release plan for version 3.5.1.
> >
> > Regards,
> > Sahil
> >
>
>
> --
> [image: Aiven] <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
> 5555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
> https%3A%2F%2Fwww.aiven.io%2F
> >
>
> *Josep Prat*
> Open Source Engineering Director, *Aiven*
> josep.prat@aiven.io | +491715557497
> aiven.io <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
> | <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
> 5555731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
> https%3A%2F%2Fwww.facebook.com%2Faivencloud
> >
> <https://www.linkedin.com/company/aiven/> <
> https://twitter.com/aiven_io>
> *Aiven Deutschland GmbH*
> Alexanderufer 3-7, 10117 Berlin
> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht
> Charlottenburg, HRB 209739 B
>
>
Comments
Post a Comment