I don't think Guava is a dependency in master or 2.5.0. Ismael
On Tue, Apr 14, 2020 at 11:08 AM Guozhang Wang <wangg...@gmail.com> wrote: > Thanks for the reported issue. > > For guava I think we should just upgrade version to 24.1.1 or newer to > resolve 10237. > > For rocksdbjni, I saw that at the moment even current master is still using > bzip version 1.0.6 so 3189 and 12900 would be existed in newest rocksDB > version. I'd suggest you post on rocksdb community and see if their > community has a better understanding on how to resolve this? > > > Guozhang > > > On Mon, Apr 13, 2020 at 6:19 PM kangbotao <kangbo...@huawei.com> wrote: > > > Hi Kafka experts: > > > > I figure out that the guava and rocksdbjni used by Kafka of the the > > latest version 2.4.1, relates with several CVEs. > > > > The CVE for guava 20 is CVE-2018-10237, and the CVEs for rocksdbjni > > compiled with bzip2 1.0.6 is CVE-2016-3189 and CVE-2019-12900. > > > > Is Kafka affected by these CVEs? > > Is there any plan to upgrade the version of guava and rocksdbjni? > > > > Sincerely look forward to your reply. > > > > BRs > > > > > > -- > -- Guozhang >
