Hi Ismael, While we only produce releases for the 2 most recent branches, many users are still running older releases such as 2.6 and 2.7.
In the past, for security issues we produced releases for older versions too. For example, for CVE-2018-1288, we released 0.10.2.2, 0.11.0.3, 1.1.0 and 1.1.0. I think there is value in releasing the 2.6.3 and 2.7.2 bugfix releases. In addition of the fix for this CVE, 2.6 has 11 unreleased fixes and 2.7 has 26. If nobody objects, I'm happy to run these 2 releases. Thanks On Wed, Oct 6, 2021 at 4:26 PM Ismael Juma <ism...@juma.me.uk> wrote: > > Hi Gary, > > The change has been backported to all the relevant branches. However, > Apache Kafka produces releases from the two most recent branches. The fix > is on the server side (broker and connect). I would encourage you to change > your rules since clients maintain compatibility for all public apis in > minor releases. > > Ismael > > On Tue, Oct 5, 2021 at 11:56 AM Gary Russell <gruss...@vmware.com> wrote: > > > Is there any chance that the fix for this CVE [1] can be back ported (and > > released) on the 2.5, 2.6 and 2.7 branches? > > > > We have 3 (soon to be 4) supported branches, based on the 2.5.x, 2.6.x, > > 2.7.x, (and soon 3.0.0) clients. > > > > Our versioning rules forbid moving to a new minor release for a dependency > > (e.g 2.7.x to 2.8.x) in a patch release. > > > > Yes, the user can override the version to 2.8.1 (works on all of our > > supported branches), but the problem is (s)he gets a vulnerable version > > transitively and has to know to do so. > > > > Or, is this CVE on the broker side only (and not on the clients)? (I have > > been unable to find the actual fix in the commit log). > > > > Thanks for your consideration. > > > > The Spring team. > > > > [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153 > > > >
