niteshmor commented on pull request #9702: URL: https://github.com/apache/kafka/pull/9702#issuecomment-741973244
Thanks @sirocchj, you beat me to it for this upgrade request. For older branches, these are the current versions of jackson databind in use: ``` 2.1: 2.9.8 2.2: 2.10.0 2.3: 2.10.0 2.4: 2.10.5 2.5: 2.10.2 2.6: 2.10.2 2.7: 2.10.5 trunk: 2.10.5 ``` Based on the comment [here](https://github.com/FasterXML/jackson-databind/issues/2589#issuecomment-714833837) and the release announcement [linked above](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10#micro-patches), there will not be a 2.10.2.1, and kafka 2.6 will need jackson upgrade from 2.10.2 => 2.10.5.1 to be free of this vulnerability. Based on the recency of kafka versions and the required change in jackson version for kafka to be CVE free, may I recommend the following upgrade paths ``` 2.1: 2.9.8 => x 2.2: 2.10.0 => x 2.3: 2.10.0 => x 2.4: 2.10.5 => 2.10.5.1 2.5: 2.10.2 => 2.10.5.1 2.6: 2.10.2 => 2.10.5.1 2.7: 2.10.5 => 2.10.5.1 trunk: 2.10.5 => 2.10.5.1 ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
