Hi Gary, The change has been backported to all the relevant branches. However, Apache Kafka produces releases from the two most recent branches. The fix is on the server side (broker and connect). I would encourage you to change your rules since clients maintain compatibility for all public apis in minor releases.
Ismael On Tue, Oct 5, 2021 at 11:56 AM Gary Russell <gruss...@vmware.com> wrote: > Is there any chance that the fix for this CVE [1] can be back ported (and > released) on the 2.5, 2.6 and 2.7 branches? > > We have 3 (soon to be 4) supported branches, based on the 2.5.x, 2.6.x, > 2.7.x, (and soon 3.0.0) clients. > > Our versioning rules forbid moving to a new minor release for a dependency > (e.g 2.7.x to 2.8.x) in a patch release. > > Yes, the user can override the version to 2.8.1 (works on all of our > supported branches), but the problem is (s)he gets a vulnerable version > transitively and has to know to do so. > > Or, is this CVE on the broker side only (and not on the clients)? (I have > been unable to find the actual fix in the commit log). > > Thanks for your consideration. > > The Spring team. > > [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153 > >
