On 2019/03/15 16:44:32, "Colin McCabe" <cmcc...@apache.org> wrote:
> Hi JIAHAO,
>
> Kafka does not use Guava.
>
> Some of the packages Kafka Connect depend on use Guava. Perhaps the right
> thing to do is track down those projects and see how they are using Guava (if
> they are vulnerable to the CVE).
>
> best,
> Colin
>
>
> On Mon, Mar 4, 2019, at 15:52, JIAHAO ZHOU wrote:
> > Hello,
> > when downloading Kafka 2.1.1, the kafka_2.12-2.1.1.tgz still contains
> > guava-20.0.jar. This guava version currently has a vulnerability
> > described here: https://github.com/google/guava/wiki/CVE-2018-10237
> > The version 24.1.1 and 25.0+ are fixed version.
> > Are there any plans to upgrade this dependency?
> >
> > Regards
> > Jiahao Zhou
> >
> Thanks Colin
