Re: [jira] [Created] (KAFKA-18204) Upgrade to rocksdb 8.x+ (ideally 9.x)

Wed, 11 Dec 2024 15:02:28 -0800 

Swikar,
thanks for reaching out. Yes, we want to address this for the upcoming 4.0 release. 


some interesting things that might be relevant to this upgrade.


Can you elaborate? Curious to learn more.

Otherwise, let's move the discussion on the Jira ticket.


-Matthias

> whether it's researching compatibility issues

On 12/10/24 8:01 PM, Swikar Patel wrote:

Hi Radha,

I saw your Jira issue (KAFKA-18204) about upgrading Kafka to RocksDB 8.x or 9.x, and I wanted to offer my 
help. I attended the RocksDB meetup (RocksDBMeetuphttps://www.meetup.com › rocksdb 
<https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.meetup.com/rocksdb/&ved=2ahUKEwiH7NKc6p6KAxW3JjQIHc4XBTYQFnoECAoQAQ&usg=AOvVaw3o9C0Iqg32XnD7iXmjo55B>)
 at Meta today and learned some interesting things that might be relevant to this upgrade.

I'm happy to assist in any way I can, whether it's researching compatibility 
issues, testing the upgrade, or contributing to the code changes. Please let me 
know if there are any specific tasks or areas where you need help.

Thanks,

Swikar



On Dec 10, 2024, at 6:58 PM, Radha Krishna Peteti (Jira) <j...@apache.org> 
wrote:

Radha Krishna Peteti created KAFKA-18204:
--------------------------------------------

             Summary: Upgrade to rocksdb 8.x+ (ideally 9.x)
                 Key: KAFKA-18204
                 URL: https://issues.apache.org/jira/browse/KAFKA-18204 
<https://issues.apache.org/jira/browse/KAFKA-18204>
             Project: Kafka
          Issue Type: Bug
            Reporter: Radha Krishna Peteti


Kafka still uses rocksdbjni version 7.x (ref: 
[https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L120 
<https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle#L120>]) 
which is no longer receiving backports from upstream.
Please update to rocksdb version 9.x (latest version) so that security updates 
are received.

Examples for critical vulnerabilities (CVE score 9.8) in rocksdb version 7.x:
[https://nvd.nist.gov/vuln/detail/CVE-2023-45853 
<https://nvd.nist.gov/vuln/detail/CVE-2023-45853>]
[https://nvd.nist.gov/vuln/detail/CVE-2022-37434 
<https://nvd.nist.gov/vuln/detail/CVE-2022-37434>]

(updating to the tip of 8.x release fixes these two vulnerabilities but for any 
new security fixes, we will need to move to 9.x)




























					Reply via email to