Satish - Thank you for catching that. It is now fixed. David - Please refer to the security@kafka mailing thread with "Reg CVE 2023-34455" where it was proposed to have an early release for 3.5.1. The rationale of releasing 3.5.1 early is to have a version of Kafka released which does not have any known CVE, specifically https://issues.apache.org/jira/browse/KAFKA-15096. Separately, I am going to start a PR today to update the CVE list with more information on this CVE and the potential workaround.
-- Divij Vaidya On Mon, Jul 3, 2023 at 2:00 PM David Jacot <dja...@confluent.io.invalid> wrote: > Hi Divij, > > Thanks for the release plan. > > I wonder if we should wait a little more as 3.5.0 was released on June > 15th. Releasing 3.5.1 a month after seems not enough in order to have time > to catch bugs in 3.5.0. I think that we usually release the first minor > release ~3 months after the major one. Is there a reason to release it in > July? > > As a side note, we don't have a formal code freeze for minor releases. > > Best, > David > > On Mon, Jul 3, 2023 at 1:51 PM Divij Vaidya <divijvaidy...@gmail.com> > wrote: > > > Hi folks > > > > Here's the release plan for > > https://cwiki.apache.org/confluence/display/KAFKA/Release+plan+3.5.1 > > > > 3.5.1 will be a bug fix release which also addresses some of the CVEs > such > > as CVE-2023-34455 [1] in snappy-java. If all goes smoothly, I am > estimating > > a release date in the 3rd or 4th week of July. I will continue to post > > important updates on the mailing list and you can also follow the > progress > > on the release plan wiki above. > > > > *Call for action* 📢 > > > > If you think that a commit from the trunk should be backported to 3.5.1, > > please let me know. Note that we usually backport only the critical bug > > fixes which don't have a production work around and security fixes. Note > > that code freeze is on 9th July and no new commits will be added to the > 3.5 > > .1 release after that. > > > > *Important dates *📅 > > > > 9th July - Code freeze for 3.5.1 > > 10th July - First release candidate is published for voting > > 18th July - Expected completion of release > > > > -- > > Divij Vaidya > > Release Manager for Apache Kafka 3.5.1 > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2023-34455 > > >
