[ https://issues.apache.org/jira/browse/KAFKA-13518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Manikumar resolved KAFKA-13518. ------------------------------- Fix Version/s: 3.4.0 Resolution: Fixed > Update gson dependency > ---------------------- > > Key: KAFKA-13518 > URL: https://issues.apache.org/jira/browse/KAFKA-13518 > Project: Kafka > Issue Type: Bug > Components: core > Affects Versions: 3.0.0 > Reporter: Pavel Kuznetsov > Assignee: Dongjin Lee > Priority: Major > Labels: security > Fix For: 3.4.0 > > > *Describe the bug* > I checked kafka_2.13-3.0.0.tgz distribution with WhiteSource and find out > that some libraries have vulnerabilities. > Here they are: > * gson-2.8.6.jar has WS-2021-0419 vulnerability. The way to fix it is to > upgrade to com.google.code.gson:gson:2.8.9 > * netty-codec-4.1.65.Final.jar has CVE-2021-37136 and CVE-2021-37137 > vulnerabilities. The way to fix it is to upgrade to > io.netty:netty-codec:4.1.68.Final > *To Reproduce* > Download kafka_2.13-3.0.0.tgz and find jars, listed above. > Check that these jars with corresponding versions are mentioned in > corresponding vulnerability description. > *Expected behavior* > * gson upgraded to 2.8.9 or higher > * netty-codec upgraded to 4.1.68.Final or higher > *Actual behaviour* > * gson is 2.8.6 > * netty-codec is 4.1.65.Final -- This message was sent by Atlassian Jira (v8.20.10#820010)