Hi Sahil,
Please have a look at the dependencies for Kafka 3.5.1:
https://github.com/apache/kafka/blob/3.5.1/gradle/dependencies.gradle
and compare it with your list of CVEs.
Please also have a look here: https://kafka.apache.org/project-security
If you discover a security issue please follow the instructions on that
page and engage to resolve the security issue.
Best,
Bruno
On 7/26/23 6:20 AM, Sahil Sharma D wrote:
Hi Kamal,
Shall we consider CVEs mentioned in mail trail are fixed in v3.5.1?
We are unable to find the CVEs in Jira as suggested earlier.
Regards,
Sahil
-----Original Message-----
From: Kamal Chandraprakash <kamal.chandraprak...@gmail.com>
Sent: 26 July 2023 09:42 AM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1
Hi Sahil,
Apache Kafka 3.5.1 is already released: https://kafka.apache.org/downloads
On Wed, Jul 26, 2023 at 9:08 AM Sahil Sharma D
<sahil.d.sha...@ericsson.com.invalid> wrote:
Gentle reminder-2
-----Original Message-----
From: Sahil Sharma D
Sent: 12 July 2023 09:51 AM
To: users@kafka.apache.org
Subject: RE: Release plan required for version 3.5.1
Gentle reminder!
-----Original Message-----
From: Sahil Sharma D
Sent: 03 July 2023 04:39 PM
To: users@kafka.apache.org
Subject: RE: Release plan required for version 3.5.1
Hi,
That means below vulnerabilities are not appliable for kafka, right?
CVE-2022-42003
CVE-2022-42004
CVE-2023-34454
CVE-2023-34453
CVE-2023-35116
Regards,
Sahil
-----Original Message-----
From: Josep Prat <josep.p...@aiven.io.INVALID>
Sent: 03 July 2023 02:02 PM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1
Hi Sahil,
Thanks for caring about Apache Kafka's security. One can fix this
situation by replacing the affected jar file with the one containing
the fix for the vulnerabilities. We plan to add a write up under
Apache Kafka's CVE page.
Mind that Apache Kafka doesn't typically do emergency releases for
CVEs discovered in their dependencies unless affectation in Kafka
itself is major.
That being said, if you take a look at the `dev` mailing list, you'll
see that a maintainer already volunteered to be the release manager for 3.5.1:
https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
If you want to be up-to-date with the release plan of 3.5.1 (contents,
estimated timings and such) please check the `dev` mailing list as
this information is usually shared there. The `user` mailing list
usually gets notified when release candidates or new versions are created.
Best,
On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D
<sahil.d.sha...@ericsson.com.invalid>
wrote:
Gentle reminder!
From: Sahil Sharma D
Sent: 26 June 2023 08:18 PM
To: users@kafka.apache.org
Subject: Release plan required for version 3.5.1
Importance: High
Hi Team,
There is an vulnerability on snappy-java-1.1.8.4.jar, are we
impacted due to this if we are using only client jar and kafka server.
Below are the vulnerabilities that still open and we unable to find
any detail of these CVEs on jira. In which version these CVEs are
planned to be resolved?
CVE-2022-42003
CVE-2022-42004
CVE-2023-34454
CVE-2023-34453
CVE-2023-35116
Kindly share the release plan for version 3.5.1.
Regards,
Sahil
--
[image: Aiven] <
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
5555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
https%3A%2F%2Fwww.aiven.io%2F
*Josep Prat*
Open Source Engineering Director, *Aiven*
josep.p...@aiven.io | +491715557497
aiven.io <
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
| <
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
5555731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
https%3A%2F%2Fwww.facebook.com%2Faivencloud
<https://www.linkedin.com/company/aiven/> <
https://twitter.com/aiven_io>
*Aiven Deutschland GmbH*
Alexanderufer 3-7, 10117 Berlin
Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht
Charlottenburg, HRB 209739 B
