> If I understand your comment correctly, we can't yet update the
dependencies, right? We should wait for 9.4.57.

I double check the fix (https://github.com/jetty/jetty.project/pull/12012)
and we don't need to wait for 9.4.57 as the fix of `CVE-2024-6763` will not
be backported to 9.4.x ...

CVE-2024-8184 can be fixed by upgrading to 9.4.56 which is already released.

Best,
Chia-Ping


Josep Prat <josep.p...@aiven.io.invalid> 於 2024年10月16日 週三 下午10:57寫道:

> Hi Chia-Ping,
>
> This issue was created between me pushing the tag and finishing all the
> associated tasks for the RC. Nice catch!
> If I understand your comment correctly, we can't yet update the
> dependencies, right? We should wait for 9.4.57.
>
> Best,
>
> ------------------
> Josep Prat
> Open Source Engineering Director, Aiven
> josep.p...@aiven.io   |   +491715557497 | aiven.io
> Aiven Deutschland GmbH
> Alexanderufer 3-7, 10117 Berlin
> Geschäftsführer: Oskari Saarenmaa, Hannu Valtonen,
> Anna Richardson, Kenneth Chen
> Amtsgericht Charlottenburg, HRB 209739 B
>
> On Wed, Oct 16, 2024, 16:36 Chia-Ping Tsai <chia7...@apache.org> wrote:
>
> > hi Josep
> >
> > I just notice https://issues.apache.org/jira/browse/KAFKA-17807 which
> > want to fix the CVEs. Should we include it in 3.8.1?
> >
> > Best,
> > Chia-Ping
> >
> > On 2024/10/16 08:21:02 Josep Prat wrote:
> > > Hello Kafka users, developers and client-developers,
> > >
> > > This is the first candidate for release of Apache Kafka 3.8.1.
> > >
> > > This is a bugfix release with several fixes.
> > >
> > > Release notes for the 3.8.1 release:
> > >
> >
> https://dist.apache.org/repos/dist/dev/kafka/3.8.1-rc0/RELEASE_NOTES.html
> > >
> > > **** Please download, test and vote by Monday, October 21, 9am ET*
> > >
> > >
> > > Kafka's KEYS file containing PGP keys we use to sign the release:
> > > https://kafka.apache.org/KEYS
> > >
> > > * Release artifacts to be voted upon (source and binary):
> > > https://dist.apache.org/repos/dist/dev/kafka/3.8.1-rc0/
> > >
> > > * Docker release artifacts to be voted upon:
> > > apache/kafka:3.8.1-rc0
> > > apache/kafka-native:3.8.1-rc0
> > >
> > > * Maven artifacts to be voted upon:
> > > https://repository.apache.org/content/groups/staging/org/apache/kafka/
> > >
> > > * Javadoc:
> > > https://dist.apache.org/repos/dist/dev/kafka/3.8.1-rc0/javadoc/
> > >
> > > * Tag to be voted upon (off 3.8 branch) is the 3.8.1 tag:
> > > https://github.com/apache/kafka/releases/tag/3.8.1-rc0
> > >
> > > * Documentation:
> > > Mind that the home.apache.org server is retired now.
> > > https://kafka.apache.org/38/documentation.html
> > > And https://github.com/apache/kafka-site/pull/635
> > >
> > > * Protocol:
> > > https://kafka.apache.org/38/protocol.html
> > > And https://github.com/apache/kafka-site/pull/635
> > >
> > > * Jenkins builds for the 3.8 branch:
> > > Unit/integration tests: There are some flaky tests, with the
> combination
> > of
> > > these 3 builds all tests passed at least once:
> > >
> https://ci-builds.apache.org/job/Kafka/job/kafka/job/3.8/101/testReport/
> > ,
> > >
> https://ci-builds.apache.org/job/Kafka/job/kafka/job/3.8/102/testReport/
> > > and
> > https://ci-builds.apache.org/job/Kafka/job/kafka/job/3.8/97/testReport/
> > >
> > > System tests: Between these 2 runs all tests were successful:
> > >
> >
> https://confluent-open-source-kafka-system-test-results.s3-us-west-2.amazonaws.com/3.8/2024-10-07--001.af519a09-fdc8-4d46-8478-e0280854e43e--1728373295--confluentinc--3.8--7dbc44143a/report.html
> > >
> >
> https://confluent-open-source-kafka-branch-builder-system-test-results.s3-us-west-2.amazonaws.com/trunk/2024-10-01--001.e7b0a1be-bac1-4792-96da-ec94116e20ce--1727846843--confluentinc--3.8--99746d683a/report.html
> > >
> > > * Successful Docker Image Github Actions Pipeline for 3.8 branch:
> > > Docker Build Test Pipeline (JVM):
> > > https://github.com/apache/kafka/actions/runs/11360618017
> > > Docker Build Test Pipeline (Native):
> > > https://github.com/apache/kafka/actions/runs/11360490943
> > >
> > > /**************************************
> > >
> > > Thanks,
> > >
> > >
> > > --
> > > [image: Aiven] <https://www.aiven.io>
> > >
> > > *Josep Prat*
> > > Open Source Engineering Director, *Aiven*
> > > josep.p...@aiven.io   |   +491715557497
> > > aiven.io <https://www.aiven.io>   |   <
> > https://www.facebook.com/aivencloud>
> > >   <https://www.linkedin.com/company/aiven/>   <
> > https://twitter.com/aiven_io>
> > > *Aiven Deutschland GmbH*
> > > Alexanderufer 3-7, 10117 Berlin
> > > Geschäftsführer: Oskari Saarenmaa, Hannu Valtonen,
> > > Anna Richardson, Kenneth Chen
> > > Amtsgericht Charlottenburg, HRB 209739 B
> > >
> >
>

Reply via email to