Dependency update is on the way: https://github.com/apache/kafka/pull/17517
Once merged, I'll cherry-pick it to 3.8, 3.7 and 3.9

Best,

On Wed, Oct 16, 2024 at 5:26 PM Chia-Ping Tsai <chia7...@gmail.com> wrote:

> > If I understand your comment correctly, we can't yet update the
> dependencies, right? We should wait for 9.4.57.
>
> I double check the fix (https://github.com/jetty/jetty.project/pull/12012)
> and we don't need to wait for 9.4.57 as the fix of `CVE-2024-6763` will not
> be backported to 9.4.x ...
>
> CVE-2024-8184 can be fixed by upgrading to 9.4.56 which is already
> released.
>
> Best,
> Chia-Ping
>
>
> Josep Prat <josep.p...@aiven.io.invalid> 於 2024年10月16日 週三 下午10:57寫道:
>
> > Hi Chia-Ping,
> >
> > This issue was created between me pushing the tag and finishing all the
> > associated tasks for the RC. Nice catch!
> > If I understand your comment correctly, we can't yet update the
> > dependencies, right? We should wait for 9.4.57.
> >
> > Best,
> >
> > ------------------
> > Josep Prat
> > Open Source Engineering Director, Aiven
> > josep.p...@aiven.io   |   +491715557497 | aiven.io
> > Aiven Deutschland GmbH
> > Alexanderufer 3-7, 10117 Berlin
> > Geschäftsführer: Oskari Saarenmaa, Hannu Valtonen,
> > Anna Richardson, Kenneth Chen
> > Amtsgericht Charlottenburg, HRB 209739 B
> >
> > On Wed, Oct 16, 2024, 16:36 Chia-Ping Tsai <chia7...@apache.org> wrote:
> >
> > > hi Josep
> > >
> > > I just notice https://issues.apache.org/jira/browse/KAFKA-17807 which
> > > want to fix the CVEs. Should we include it in 3.8.1?
> > >
> > > Best,
> > > Chia-Ping
> > >
> > > On 2024/10/16 08:21:02 Josep Prat wrote:
> > > > Hello Kafka users, developers and client-developers,
> > > >
> > > > This is the first candidate for release of Apache Kafka 3.8.1.
> > > >
> > > > This is a bugfix release with several fixes.
> > > >
> > > > Release notes for the 3.8.1 release:
> > > >
> > >
> >
> https://dist.apache.org/repos/dist/dev/kafka/3.8.1-rc0/RELEASE_NOTES.html
> > > >
> > > > **** Please download, test and vote by Monday, October 21, 9am ET*
> > > >
> > > >
> > > > Kafka's KEYS file containing PGP keys we use to sign the release:
> > > > https://kafka.apache.org/KEYS
> > > >
> > > > * Release artifacts to be voted upon (source and binary):
> > > > https://dist.apache.org/repos/dist/dev/kafka/3.8.1-rc0/
> > > >
> > > > * Docker release artifacts to be voted upon:
> > > > apache/kafka:3.8.1-rc0
> > > > apache/kafka-native:3.8.1-rc0
> > > >
> > > > * Maven artifacts to be voted upon:
> > > >
> https://repository.apache.org/content/groups/staging/org/apache/kafka/
> > > >
> > > > * Javadoc:
> > > > https://dist.apache.org/repos/dist/dev/kafka/3.8.1-rc0/javadoc/
> > > >
> > > > * Tag to be voted upon (off 3.8 branch) is the 3.8.1 tag:
> > > > https://github.com/apache/kafka/releases/tag/3.8.1-rc0
> > > >
> > > > * Documentation:
> > > > Mind that the home.apache.org server is retired now.
> > > > https://kafka.apache.org/38/documentation.html
> > > > And https://github.com/apache/kafka-site/pull/635
> > > >
> > > > * Protocol:
> > > > https://kafka.apache.org/38/protocol.html
> > > > And https://github.com/apache/kafka-site/pull/635
> > > >
> > > > * Jenkins builds for the 3.8 branch:
> > > > Unit/integration tests: There are some flaky tests, with the
> > combination
> > > of
> > > > these 3 builds all tests passed at least once:
> > > >
> > https://ci-builds.apache.org/job/Kafka/job/kafka/job/3.8/101/testReport/
> > > ,
> > > >
> > https://ci-builds.apache.org/job/Kafka/job/kafka/job/3.8/102/testReport/
> > > > and
> > >
> https://ci-builds.apache.org/job/Kafka/job/kafka/job/3.8/97/testReport/
> > > >
> > > > System tests: Between these 2 runs all tests were successful:
> > > >
> > >
> >
> https://confluent-open-source-kafka-system-test-results.s3-us-west-2.amazonaws.com/3.8/2024-10-07--001.af519a09-fdc8-4d46-8478-e0280854e43e--1728373295--confluentinc--3.8--7dbc44143a/report.html
> > > >
> > >
> >
> https://confluent-open-source-kafka-branch-builder-system-test-results.s3-us-west-2.amazonaws.com/trunk/2024-10-01--001.e7b0a1be-bac1-4792-96da-ec94116e20ce--1727846843--confluentinc--3.8--99746d683a/report.html
> > > >
> > > > * Successful Docker Image Github Actions Pipeline for 3.8 branch:
> > > > Docker Build Test Pipeline (JVM):
> > > > https://github.com/apache/kafka/actions/runs/11360618017
> > > > Docker Build Test Pipeline (Native):
> > > > https://github.com/apache/kafka/actions/runs/11360490943
> > > >
> > > > /**************************************
> > > >
> > > > Thanks,
> > > >
> > > >
> > > > --
> > > > [image: Aiven] <https://www.aiven.io>
> > > >
> > > > *Josep Prat*
> > > > Open Source Engineering Director, *Aiven*
> > > > josep.p...@aiven.io   |   +491715557497
> > > > aiven.io <https://www.aiven.io>   |   <
> > > https://www.facebook.com/aivencloud>
> > > >   <https://www.linkedin.com/company/aiven/>   <
> > > https://twitter.com/aiven_io>
> > > > *Aiven Deutschland GmbH*
> > > > Alexanderufer 3-7, 10117 Berlin
> > > > Geschäftsführer: Oskari Saarenmaa, Hannu Valtonen,
> > > > Anna Richardson, Kenneth Chen
> > > > Amtsgericht Charlottenburg, HRB 209739 B
> > > >
> > >
> >
>


-- 
[image: Aiven] <https://www.aiven.io>

*Josep Prat*
Open Source Engineering Director, *Aiven*
josep.p...@aiven.io   |   +491715557497
aiven.io <https://www.aiven.io>   |   <https://www.facebook.com/aivencloud>
  <https://www.linkedin.com/company/aiven/>   <https://twitter.com/aiven_io>
*Aiven Deutschland GmbH*
Alexanderufer 3-7, 10117 Berlin
Geschäftsführer: Oskari Saarenmaa, Hannu Valtonen,
Anna Richardson, Kenneth Chen
Amtsgericht Charlottenburg, HRB 209739 B

Reply via email to