Gentle reminder-2 -----Original Message----- From: Sahil Sharma D Sent: 12 July 2023 09:51 AM To: users@kafka.apache.org Subject: RE: Release plan required for version 3.5.1
Gentle reminder! -----Original Message----- From: Sahil Sharma D Sent: 03 July 2023 04:39 PM To: users@kafka.apache.org Subject: RE: Release plan required for version 3.5.1 Hi, That means below vulnerabilities are not appliable for kafka, right? CVE-2022-42003 CVE-2022-42004 CVE-2023-34454 CVE-2023-34453 CVE-2023-35116 Regards, Sahil -----Original Message----- From: Josep Prat <josep.p...@aiven.io.INVALID> Sent: 03 July 2023 02:02 PM To: users@kafka.apache.org Subject: Re: Release plan required for version 3.5.1 Hi Sahil, Thanks for caring about Apache Kafka's security. One can fix this situation by replacing the affected jar file with the one containing the fix for the vulnerabilities. We plan to add a write up under Apache Kafka's CVE page. Mind that Apache Kafka doesn't typically do emergency releases for CVEs discovered in their dependencies unless affectation in Kafka itself is major. That being said, if you take a look at the `dev` mailing list, you'll see that a maintainer already volunteered to be the release manager for 3.5.1: https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr If you want to be up-to-date with the release plan of 3.5.1 (contents, estimated timings and such) please check the `dev` mailing list as this information is usually shared there. The `user` mailing list usually gets notified when release candidates or new versions are created. Best, On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D <sahil.d.sha...@ericsson.com.invalid> wrote: > Gentle reminder! > > From: Sahil Sharma D > Sent: 26 June 2023 08:18 PM > To: users@kafka.apache.org > Subject: Release plan required for version 3.5.1 > Importance: High > > Hi Team, > > There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted > due to this if we are using only client jar and kafka server. > > Below are the vulnerabilities that still open and we unable to find > any detail of these CVEs on jira. In which version these CVEs are > planned to be resolved? > CVE-2022-42003 > CVE-2022-42004 > CVE-2023-34454 > CVE-2023-34453 > CVE-2023-35116 > > Kindly share the release plan for version 3.5.1. > > Regards, > Sahil > -- [image: Aiven] <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F> *Josep Prat* Open Source Engineering Director, *Aiven* josep.p...@aiven.io | +491715557497 aiven.io <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F> | <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.facebook.com%2Faivencloud> <https://www.linkedin.com/company/aiven/> <https://twitter.com/aiven_io> *Aiven Deutschland GmbH* Alexanderufer 3-7, 10117 Berlin Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht Charlottenburg, HRB 209739 B
