Yes, we have a thread for the 3.9.2 release manager: https://lists.apache.org/thread/mz7nqbfl2ww7jvcko6qnoqow77xkly0d
The CVE is a solid reason to move forward with the next release Rico Hightower <rico.highto...@synergistcomputing.com.invalid> 於 2025年9月19日 週五 下午11:32寫道: > Our team is looking to move to the latest 3.x version of Kafka. The latest > available, version 3.9.1, currently has the high score CVE-2025-48734. The > culprit is a dependency on commons-beanutils-1.9.4.jar. > > Are there any future plans to mitigate this CVE in a 3.9.x update? > > -- > > > This e-mail and any attachments are intended only for the use of the > addressee(s) named herein and may contain proprietary information. If you > are not the intended recipient of this e-mail or believe that you received > this email in error, please take immediate action to notify the sender of > the apparent error by reply e-mail; permanently delete the e-mail and any > attachments from your computer; and do not disseminate, distribute, use, > or > copy this message and any attachments. >
