Hi all, Sorry for the late reply. I will follow up with the reviewers on https://issues.apache.org/jira/browse/FLINK-32197. I think we can definitely release a new Kafka connector before Flink 1.19 but do note it is the holiday season, so I can't speak on when the exact date will work for the community.
Reading the CVE, there are some suggestions to do validation in your application properties to remediate the CVE that is independent of the Kafka version upgrade. Best, Mason On Fri, Nov 10, 2023 at 2:12 AM Martijn Visser <martijnvis...@apache.org> wrote: > Hi Jean-Marc, > > To be fair, the Flink project has a lot of dependencies that have > false-positives from a Flink pov. We just can't fix all of them. > > Let's see what others say on this topic. > > Best regards, > > Martijn > > On Fri, Nov 10, 2023 at 10:56 AM Jean-Marc Paulin <j...@uk.ibm.com> wrote: > > > > Hi, > > > > I am not exactly thrilled by the False positive statement. This always > leads to a difficult discussion with customers. > > > > Is there a chance of releasing a version of the connector to just add > support for Kafka 3.4.0, in conjunction with Flink 1.18 ? > > > > Kind regards > > > > Jean-Marc > > ________________________________ > > From: Martijn Visser <martijnvis...@apache.org> > > Sent: Thursday, November 9, 2023 13:51 > > To: dev@flink.apache.org <dev@flink.apache.org>; Mason Chen < > mas.chen6...@gmail.com> > > Subject: [EXTERNAL] Re: Request a release of flink-connector-kafka > version 3.1.0 (to consume kafka 3.4.0 with Flink 1.18) > > > > Hi, > > > > The CVE is related to the Kafka Connect API and I think of that as a > > false-positive for the Flink Kafka connector. I would be inclined to > > preferably get https://issues.apache.org/jira/browse/FLINK-32197 in, > > and then do a release afterwards. But I would like to understand from > > Mason if he thinks that's feasible. > > > > Best regards, > > > > Martijn > > > > On Tue, Nov 7, 2023 at 9:45 AM Jean-Marc Paulin <j...@uk.ibm.com> wrote: > > > > > > Hi, > > > > > > I had a chat on [FLINK-31599] Update kafka version to 3.4.0 by Gerrrr > · Pull Request #11 · apache/flink-connector-kafka (github.com)< > https://github.com/apache/flink-connector-kafka/pull/11 > . > > > > > > We are consuming Flink 1.18, and the flink-connector-kafka 3.0.1. > > > Flink 3.2.3 currently in use has the CVE-2023-25194< > https://www.mend.io/vulnerability-database/disclosure-policy/?query=CVE-2023-25194 > > vulnerability addressed in Kafka 3.4.0. We will need to move to Kafka > 3.4.0 for our customers. I have tried to consume Kafka client 3.4.0 but > that fails after a while. I tracked that down to a change required in the > flink-connector-kafka source code. The PR11 above has the required changes, > and is merge in main, but is not currently released. > > > > > > I would really appreciate if you could release a newer version of the > flink-connector-kafka that would enable us to use Kafka 3.4.0. > > > > > > Many thanks > > > > > > JM > > > > > > [ > https://opengraph.githubassets.com/54669eeddff74373a431b6540c3602aefd5fb25232da040f59d9dbb1254615c6/apache/flink-connector-kafka/pull/11 > ]<https://github.com/apache/flink-connector-kafka/pull/11 > > > > [FLINK-31599] Update kafka version to 3.4.0 by Gerrrr · Pull Request > #11 · apache/flink-connector-kafka< > https://github.com/apache/flink-connector-kafka/pull/11 > > > > Apache flink. Contribute to apache/flink-connector-kafka development > by creating an account on GitHub. > > > github.com > > > > > > Unless otherwise stated above: > > > > > > IBM United Kingdom Limited > > > Registered in England and Wales with number 741598 > > > Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU > > > > Unless otherwise stated above: > > > > IBM United Kingdom Limited > > Registered in England and Wales with number 741598 > > Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU >
