Hi, The CVE is related to the Kafka Connect API and I think of that as a false-positive for the Flink Kafka connector. I would be inclined to preferably get https://issues.apache.org/jira/browse/FLINK-32197 in, and then do a release afterwards. But I would like to understand from Mason if he thinks that's feasible.
Best regards, Martijn On Tue, Nov 7, 2023 at 9:45 AM Jean-Marc Paulin <j...@uk.ibm.com> wrote: > > Hi, > > I had a chat on [FLINK-31599] Update kafka version to 3.4.0 by Gerrrr · Pull > Request #11 · apache/flink-connector-kafka > (github.com)<https://github.com/apache/flink-connector-kafka/pull/11> . > > We are consuming Flink 1.18, and the flink-connector-kafka 3.0.1. > Flink 3.2.3 currently in use has the > CVE-2023-25194<https://www.mend.io/vulnerability-database/disclosure-policy/?query=CVE-2023-25194> > vulnerability addressed in Kafka 3.4.0. We will need to move to Kafka 3.4.0 > for our customers. I have tried to consume Kafka client 3.4.0 but that fails > after a while. I tracked that down to a change required in the > flink-connector-kafka source code. The PR11 above has the required changes, > and is merge in main, but is not currently released. > > I would really appreciate if you could release a newer version of the > flink-connector-kafka that would enable us to use Kafka 3.4.0. > > Many thanks > > JM > > [https://opengraph.githubassets.com/54669eeddff74373a431b6540c3602aefd5fb25232da040f59d9dbb1254615c6/apache/flink-connector-kafka/pull/11]<https://github.com/apache/flink-connector-kafka/pull/11> > [FLINK-31599] Update kafka version to 3.4.0 by Gerrrr · Pull Request #11 · > apache/flink-connector-kafka<https://github.com/apache/flink-connector-kafka/pull/11> > Apache flink. Contribute to apache/flink-connector-kafka development by > creating an account on GitHub. > github.com > > Unless otherwise stated above: > > IBM United Kingdom Limited > Registered in England and Wales with number 741598 > Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU
