This is an automated email from the ASF dual-hosted git repository.
jlprat pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new ddb358e8d MINOR: document how to deal with advisories for dependencies
(#647)
ddb358e8d is described below
commit ddb358e8d8ee7e705c6b059ff68984bc57b06fa6
Author: Arnout Engelen <[email protected]>
AuthorDate: Fri Mar 7 13:27:58 2025 +0100
MINOR: document how to deal with advisories for dependencies (#647)
See also
https://cwiki.apache.org/confluence/display/SECURITY/Dealing+with+security+advisories+for+dependencies
Reviewers: Josep Prat <[email protected]>
---
cve-list.html | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index c98d69ab3..95dc33794 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -7,7 +7,19 @@
<h1>Apache Kafka Security Vulnerabilities</h1>
+<p>
This page lists all security vulnerabilities fixed in released versions of
Apache Kafka.
+</p>
+
+<p>
+This page does <b>not</b> list security advisories for dependencies of Kafka.
+If your security scanner warns that there is an advisory for a dependency of
Kafka, please
+see <a href="https://security.apache.org/report-dependency/";>this
documentation</a>. You can find the current development versions
+of various dependencies <a
href="https://github.com/apache/kafka/blob/trunk/gradle/dependencies.gradle";>here</a>.
+You can find a list of advisories that have been confirmed not to
+apply to Kafka <a
href="https://github.com/apache/kafka/blob/trunk/gradle/resources/dependencycheck-suppressions.xml";>here</a>.
+You are invited to <a
href="https://kafka.apache.org/contributing.html";>contribute</a> version
updates or (motivated) suppressions.
+</p>
<h2 id="CVE-2024-56128"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-56128";>CVE-2024-56128</a> SCRAM
authentication vulnerable to replay attacks when used without encryption</h2>
