Hi Mickael, That issue was more severe and we decided to go beyond what we would normally do. Having said that, you are welcome to drive the releases if you have the cycles. My general advice stands, a bunch of open-source dependencies have CVEs regularly so it's best to stick with one of the two most recent releases. We take compatibility very seriously to make it easy for people to upgrade within a major version.
Ismael On Thu, Oct 7, 2021 at 6:54 AM Mickael Maison <mickael.mai...@gmail.com> wrote: > Hi Ismael, > > While we only produce releases for the 2 most recent branches, many > users are still running older releases such as 2.6 and 2.7. > > In the past, for security issues we produced releases for older > versions too. For example, for CVE-2018-1288, we released 0.10.2.2, > 0.11.0.3, 1.1.0 and 1.1.0. > > I think there is value in releasing the 2.6.3 and 2.7.2 bugfix > releases. In addition of the fix for this CVE, 2.6 has 11 unreleased > fixes and 2.7 has 26. > > If nobody objects, I'm happy to run these 2 releases. > > Thanks > > > On Wed, Oct 6, 2021 at 4:26 PM Ismael Juma <ism...@juma.me.uk> wrote: > > > > Hi Gary, > > > > The change has been backported to all the relevant branches. However, > > Apache Kafka produces releases from the two most recent branches. The fix > > is on the server side (broker and connect). I would encourage you to > change > > your rules since clients maintain compatibility for all public apis in > > minor releases. > > > > Ismael > > > > On Tue, Oct 5, 2021 at 11:56 AM Gary Russell <gruss...@vmware.com> > wrote: > > > > > Is there any chance that the fix for this CVE [1] can be back ported > (and > > > released) on the 2.5, 2.6 and 2.7 branches? > > > > > > We have 3 (soon to be 4) supported branches, based on the 2.5.x, 2.6.x, > > > 2.7.x, (and soon 3.0.0) clients. > > > > > > Our versioning rules forbid moving to a new minor release for a > dependency > > > (e.g 2.7.x to 2.8.x) in a patch release. > > > > > > Yes, the user can override the version to 2.8.1 (works on all of our > > > supported branches), but the problem is (s)he gets a vulnerable version > > > transitively and has to know to do so. > > > > > > Or, is this CVE on the broker side only (and not on the clients)? (I > have > > > been unable to find the actual fix in the commit log). > > > > > > Thanks for your consideration. > > > > > > The Spring team. > > > > > > [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153 > > > > > > >
