Dependency update is on the way: https://github.com/apache/kafka/pull/17517 Once merged, I'll cherry-pick it to 3.8, 3.7 and 3.9
Best, On Wed, Oct 16, 2024 at 5:26 PM Chia-Ping Tsai <chia7...@gmail.com> wrote: > > If I understand your comment correctly, we can't yet update the > dependencies, right? We should wait for 9.4.57. > > I double check the fix (https://github.com/jetty/jetty.project/pull/12012) > and we don't need to wait for 9.4.57 as the fix of `CVE-2024-6763` will not > be backported to 9.4.x ... > > CVE-2024-8184 can be fixed by upgrading to 9.4.56 which is already > released. > > Best, > Chia-Ping > > > Josep Prat <josep.p...@aiven.io.invalid> 於 2024年10月16日 週三 下午10:57寫道: > > > Hi Chia-Ping, > > > > This issue was created between me pushing the tag and finishing all the > > associated tasks for the RC. Nice catch! > > If I understand your comment correctly, we can't yet update the > > dependencies, right? We should wait for 9.4.57. > > > > Best, > > > > ------------------ > > Josep Prat > > Open Source Engineering Director, Aiven > > josep.p...@aiven.io | +491715557497 | aiven.io > > Aiven Deutschland GmbH > > Alexanderufer 3-7, 10117 Berlin > > Geschäftsführer: Oskari Saarenmaa, Hannu Valtonen, > > Anna Richardson, Kenneth Chen > > Amtsgericht Charlottenburg, HRB 209739 B > > > > On Wed, Oct 16, 2024, 16:36 Chia-Ping Tsai <chia7...@apache.org> wrote: > > > > > hi Josep > > > > > > I just notice https://issues.apache.org/jira/browse/KAFKA-17807 which > > > want to fix the CVEs. Should we include it in 3.8.1? > > > > > > Best, > > > Chia-Ping > > > > > > On 2024/10/16 08:21:02 Josep Prat wrote: > > > > Hello Kafka users, developers and client-developers, > > > > > > > > This is the first candidate for release of Apache Kafka 3.8.1. > > > > > > > > This is a bugfix release with several fixes. > > > > > > > > Release notes for the 3.8.1 release: > > > > > > > > > > https://dist.apache.org/repos/dist/dev/kafka/3.8.1-rc0/RELEASE_NOTES.html > > > > > > > > **** Please download, test and vote by Monday, October 21, 9am ET* > > > > > > > > > > > > Kafka's KEYS file containing PGP keys we use to sign the release: > > > > https://kafka.apache.org/KEYS > > > > > > > > * Release artifacts to be voted upon (source and binary): > > > > https://dist.apache.org/repos/dist/dev/kafka/3.8.1-rc0/ > > > > > > > > * Docker release artifacts to be voted upon: > > > > apache/kafka:3.8.1-rc0 > > > > apache/kafka-native:3.8.1-rc0 > > > > > > > > * Maven artifacts to be voted upon: > > > > > https://repository.apache.org/content/groups/staging/org/apache/kafka/ > > > > > > > > * Javadoc: > > > > https://dist.apache.org/repos/dist/dev/kafka/3.8.1-rc0/javadoc/ > > > > > > > > * Tag to be voted upon (off 3.8 branch) is the 3.8.1 tag: > > > > https://github.com/apache/kafka/releases/tag/3.8.1-rc0 > > > > > > > > * Documentation: > > > > Mind that the home.apache.org server is retired now. > > > > https://kafka.apache.org/38/documentation.html > > > > And https://github.com/apache/kafka-site/pull/635 > > > > > > > > * Protocol: > > > > https://kafka.apache.org/38/protocol.html > > > > And https://github.com/apache/kafka-site/pull/635 > > > > > > > > * Jenkins builds for the 3.8 branch: > > > > Unit/integration tests: There are some flaky tests, with the > > combination > > > of > > > > these 3 builds all tests passed at least once: > > > > > > https://ci-builds.apache.org/job/Kafka/job/kafka/job/3.8/101/testReport/ > > > , > > > > > > https://ci-builds.apache.org/job/Kafka/job/kafka/job/3.8/102/testReport/ > > > > and > > > > https://ci-builds.apache.org/job/Kafka/job/kafka/job/3.8/97/testReport/ > > > > > > > > System tests: Between these 2 runs all tests were successful: > > > > > > > > > > https://confluent-open-source-kafka-system-test-results.s3-us-west-2.amazonaws.com/3.8/2024-10-07--001.af519a09-fdc8-4d46-8478-e0280854e43e--1728373295--confluentinc--3.8--7dbc44143a/report.html > > > > > > > > > > https://confluent-open-source-kafka-branch-builder-system-test-results.s3-us-west-2.amazonaws.com/trunk/2024-10-01--001.e7b0a1be-bac1-4792-96da-ec94116e20ce--1727846843--confluentinc--3.8--99746d683a/report.html > > > > > > > > * Successful Docker Image Github Actions Pipeline for 3.8 branch: > > > > Docker Build Test Pipeline (JVM): > > > > https://github.com/apache/kafka/actions/runs/11360618017 > > > > Docker Build Test Pipeline (Native): > > > > https://github.com/apache/kafka/actions/runs/11360490943 > > > > > > > > /************************************** > > > > > > > > Thanks, > > > > > > > > > > > > -- > > > > [image: Aiven] <https://www.aiven.io> > > > > > > > > *Josep Prat* > > > > Open Source Engineering Director, *Aiven* > > > > josep.p...@aiven.io | +491715557497 > > > > aiven.io <https://www.aiven.io> | < > > > https://www.facebook.com/aivencloud> > > > > <https://www.linkedin.com/company/aiven/> < > > > https://twitter.com/aiven_io> > > > > *Aiven Deutschland GmbH* > > > > Alexanderufer 3-7, 10117 Berlin > > > > Geschäftsführer: Oskari Saarenmaa, Hannu Valtonen, > > > > Anna Richardson, Kenneth Chen > > > > Amtsgericht Charlottenburg, HRB 209739 B > > > > > > > > > > -- [image: Aiven] <https://www.aiven.io> *Josep Prat* Open Source Engineering Director, *Aiven* josep.p...@aiven.io | +491715557497 aiven.io <https://www.aiven.io> | <https://www.facebook.com/aivencloud> <https://www.linkedin.com/company/aiven/> <https://twitter.com/aiven_io> *Aiven Deutschland GmbH* Alexanderufer 3-7, 10117 Berlin Geschäftsführer: Oskari Saarenmaa, Hannu Valtonen, Anna Richardson, Kenneth Chen Amtsgericht Charlottenburg, HRB 209739 B
