ppkarwasz commented on PR #1111: URL: https://github.com/apache/logging-log4j2/pull/1111#issuecomment-1280821401
@eurrio, IMHO and according to [MvnRepository](https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients) that CVE does not apply to any Kafka client (as opposed to [Kafka servers](https://mvnrepository.com/artifact/org.apache.kafka/kafka)). There is no security reason to upgrade our `kafka-clients` version. Due to the stability of Kafka's Producer API the `KafkaAppender` can use **any** Kafka client version from 1.1.1 onwards: check our [Kafka tests](https://github.com/apache/logging-log4j2/actions/workflows/log4j-kafka-test.yml). So the only question that remains is: which version should we advertise in our POM file. @rgoers: any ideas? I don't want to "upgrade" to the latest version to show people that we also support older revisions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
