[jira] [Resolved] (KAFKA-14660) Divide by zero security vulnerability (sonatype-2019-0422)
[ https://issues.apache.org/jira/browse/KAFKA-14660?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andy Coates resolved KAFKA-14660. - Resolution: Fixed > Divide by zero security vulnerability (sonatype-2019-0422) > -- > > Key: KAFKA-14660 > URL: https://issues.apache.org/jira/browse/KAFKA-14660 > Project: Kafka > Issue Type: Bug > Components: streams >Affects Versions: 3.3.2 >Reporter: Andy Coates >Assignee: Matthias J. Sax >Priority: Minor > Fix For: 3.5.0 > > > Looks like SonaType has picked up a "Divide by Zero" issue reported in a PR > and, because the PR was never merged, is now reporting it as a security > vulnerability in the latest Kafka Streams library. > > See: > * [Vulnerability: > sonatype-2019-0422]([https://ossindex.sonatype.org/vulnerability/sonatype-2019-0422?component-type=maven&component-name=org.apache.kafka%2Fkafka-streams&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)] > * [Original PR]([https://github.com/apache/kafka/pull/7414]) > > While it looks from the comments made by [~mjsax] and [~bbejeck] that the > divide-by-zero is not really an issue, the fact that its now being reported > as a vulnerability is, especially with regulators. > PITA, but we should consider either getting this vulnerability removed > (Google wasn't very helpful in providing info on how to do this), or fixed > (Again, not sure how to tag the fix as fixing this issue). One option may > just be to reopen the PR and merge (and then fix forward by switching it to > throw an exception). -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Request for JIRA account creation
Also, I would like permission to contribute to Apache Kafka. My wiki ID is also fq.public5 Thanks, Farooq On Sat, 4 Feb 2023 at 12:23, Fq Public wrote: > Hi, I would like to request a JIRA account in order to be able to file a > KIP and tickets related to this PR: > https://github.com/apache/kafka/pull/10747 > > Email: fq.publ...@gmail.com > User name: fq.public5 > Display name: Farooq Qaiser > > Thanks, > Farooq >
Request for JIRA account creation
Hi, I would like to request a JIRA account in order to be able to file a KIP and tickets related to this PR: https://github.com/apache/kafka/pull/10747 Email: fq.publ...@gmail.com User name: fq.public5 Display name: Farooq Qaiser Thanks, Farooq
[Possible bug] Failing to use multiple client for multiple cluster using SASL channel.
Hello Kafka Dev, Issue:Say, I need to configure multiple client (consumer/producer) listening and publishing to different cluster inside same application (Same JVM). Both cluster uses - sasl.mechanism = GSSAPI- security.porotocol = SASL_PLAINTEXT But, different 'sasl.kerberos.service.name'. Now, considering above configuration, client will create a KafkaChannel using SaslChannelBuilder, which uses a LoginManager.https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L170 For this case, it should create multiple LoginManager for each cluster but it is creating only one. Because of this Authentication is failing for all cluster except one. Reason: A static Map of login managers is maintained, with key of LoginMetadata STATIC_INSTANCES.put(loginMetadata, loginManager); - https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L109 - https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L113 LoginMetadata only considers following fields to maintains its uniqueness. final T configInfo; // "KafkaClient"; Same for all cluster final Class loginClass; // Same for all clusester final Class loginCallbackClass; // Same for all cluster Possible fix:Need to consider more fields ( sasl.kerberos.service.name/client.id/somethin-else) to maintain more granular uniqueness. Note:If you feel it's a bug, then I can raise a PR if I get a jira. Please share your thoughts. ~ Sourav
Re: Request for JIRA account creation
Hi Farooq, Your wiki ID is all set. But for the JIRA account, the user name cannot allow the special character: ".". Could you provide another user name without special characters? Thank you. Luke On Sun, Feb 5, 2023 at 2:02 AM Fq Public wrote: > Also, I would like permission to contribute to Apache Kafka. > My wiki ID is also fq.public5 > > Thanks, > Farooq > > On Sat, 4 Feb 2023 at 12:23, Fq Public wrote: > > > Hi, I would like to request a JIRA account in order to be able to file a > > KIP and tickets related to this PR: > > https://github.com/apache/kafka/pull/10747 > > > > Email: fq.publ...@gmail.com > > User name: fq.public5 > > Display name: Farooq Qaiser > > > > Thanks, > > Farooq > > >
