Hi Radha, I saw your Jira issue (KAFKA-18204) about upgrading Kafka to RocksDB 8.x or 9.x, and I wanted to offer my help. I attended the RocksDB meetup (RocksDBMeetuphttps://www.meetup.com › rocksdb <https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.meetup.com/rocksdb/&ved=2ahUKEwiH7NKc6p6KAxW3JjQIHc4XBTYQFnoECAoQAQ&usg=AOvVaw3o9C0Iqg32XnD7iXmjo55B>) at Meta today and learned some interesting things that might be relevant to this upgrade.
I'm happy to assist in any way I can, whether it's researching compatibility issues, testing the upgrade, or contributing to the code changes. Please let me know if there are any specific tasks or areas where you need help. Thanks, Swikar > On Dec 10, 2024, at 6:58 PM, Radha Krishna Peteti (Jira) <j...@apache.org> > wrote: > > Radha Krishna Peteti created KAFKA-18204: > -------------------------------------------- > > Summary: Upgrade to rocksdb 8.x+ (ideally 9.x) > Key: KAFKA-18204 > URL: https://issues.apache.org/jira/browse/KAFKA-18204 > <https://issues.apache.org/jira/browse/KAFKA-18204> > Project: Kafka > Issue Type: Bug > Reporter: Radha Krishna Peteti > > > Kafka still uses rocksdbjni version 7.x (ref: > [https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L120 > <https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L120>]) > which is no longer receiving backports from upstream. > Please update to rocksdb version 9.x (latest version) so that security > updates are received. > > Examples for critical vulnerabilities (CVE score 9.8) in rocksdb version 7.x: > [https://nvd.nist.gov/vuln/detail/CVE-2023-45853 > <https://nvd.nist.gov/vuln/detail/CVE-2023-45853>] > [https://nvd.nist.gov/vuln/detail/CVE-2022-37434 > <https://nvd.nist.gov/vuln/detail/CVE-2022-37434>] > > (updating to the tip of 8.x release fixes these two vulnerabilities but for > any new security fixes, we will need to move to 9.x) >
