[
https://issues.apache.org/jira/browse/KAFKA-9858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17083482#comment-17083482
]
Guozhang Wang commented on KAFKA-9858:
--------------------------------------
For rocksdbjni, I saw that at the moment even current master is still using
bzip version 1.0.6 so 3189 and 12900 would be existed in newest rocksDB
version. I'd suggest you post on rocksdb community and see if their community
has a better understanding on how to resolve this?
> CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6
> allows remote attackers to cause a denial of service (crash) via a crafted
> bzip2 file, related to block ends set to before the start of the block.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-9858
> URL: https://issues.apache.org/jira/browse/KAFKA-9858
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.2, 2.3.1, 2.4.1
> Reporter: sihuanx
> Priority: Major
>
> I'm not sure whether CVE-2016-3189 affects kafka 2.4.1 or not? This
> vulnerability was related to rocksdbjni-5.18.3.jar which is compiled with
> *bzip2 .*
> Is there any task or plan to fix it?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
