gaurav-narula commented on PR #21395: URL: https://github.com/apache/kafka/pull/21395#issuecomment-3852288986
> Does this mean that the CVE data is just wrong? > > I ask because [CVE-2025-12383](https://github.com/advisories/GHSA-7p63-w6x9-6gr7) only references 2.45, 3.0.16, 3.1.9 I think the issue exists in releases where either of the following conditions hold: 1. https://github.com/eclipse-ee4j/jersey/commit/d4a0612015299d5912f152dcf018b4d1196bdb18 is not merged, so < 2.41, < 3.0.12, < 3.1.4 OR 2. https://github.com/eclipse-ee4j/jersey/commit/425bc883d8d623ef8d3c448fafd36729f7741bcb is merged **without** https://github.com/eclipse-ee4j/jersey/commit/b2c7ba6d388cb9722f39073d7e82aa818fec49d5, so =3.0.16 and =3.1.9 Releases between (1) and (2) would suffer from the perf degradation mentioned in https://github.com/eclipse-ee4j/jersey/issues/5738. Once again, I'm basing this off of the PoC to reproduce the issue at https://github.com/dtbaum/jerseyCveCandidate. It would be nice to get a confirmation from jersey developers on this. I'll need some approvals (and hence time) to be able to participate in discussions at https://gitlab.eclipse.org/security/cve-assignment/-/issues/74. In the mean time, I agree we should get another RC going for 3.9.2 with the version bumped. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
