[jira] [Commented] (KAFKA-15128) snappy-java-1.1.8.4.jar library vulnerability
[ https://issues.apache.org/jira/browse/KAFKA-15128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17737791#comment-17737791 ] Arushi Rai commented on KAFKA-15128: Hi [~ckamal] If possible, can you share the expected release version where this vulnerability will be resolved? > snappy-java-1.1.8.4.jar library vulnerability > - > > Key: KAFKA-15128 > URL: https://issues.apache.org/jira/browse/KAFKA-15128 > Project: Kafka > Issue Type: Bug > Components: clients >Affects Versions: 3.4.0 >Reporter: priyatama >Priority: Major > Attachments: Screenshot 2023-06-27 at 12.30.51 PM.png > > > Hi Team, > we found new vulnerability introduced in snappy-java-1.1.8.4 library, so we > need to get rid of it. > !Screenshot 2023-06-27 at 12.30.51 PM.png|width=321,height=230! > during analysis, we found snappy-java coming via kafka-clients. > As our application is not directly using snappy-java jar. > Can any one please explain what is use of snappy-java in kafka-client or can > we exclude that? > Latest kafka-client also having vulnerable snappy-jar, by when kafka-client > will release next version which is having non-vulnerable snappy-java jar in > it? > cc: [Mickael > Maison|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=mimaison] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-15128) snappy-java-1.1.8.4.jar library vulnerability
[ https://issues.apache.org/jira/browse/KAFKA-15128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17737576#comment-17737576 ] Kamal Chandraprakash commented on KAFKA-15128: -- Snappy jar will be used to compress the records from producer. If you're not setting the {{compression.type}} as {{snappy}} in your producer configuration, then you can safely exclude this jar from your distribution. https://github.com/apache/kafka/blob/trunk/build.gradle#L1342 https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/record/CompressionType.java#L89 > snappy-java-1.1.8.4.jar library vulnerability > - > > Key: KAFKA-15128 > URL: https://issues.apache.org/jira/browse/KAFKA-15128 > Project: Kafka > Issue Type: Bug > Components: clients >Affects Versions: 3.4.0 >Reporter: priyatama >Priority: Major > Attachments: Screenshot 2023-06-27 at 12.30.51 PM.png > > > Hi Team, > we found new vulnerability introduced in snappy-java-1.1.8.4 library, so we > need to get rid of it. > !Screenshot 2023-06-27 at 12.30.51 PM.png|width=321,height=230! > during analysis, we found snappy-java coming via kafka-clients. > As our application is not directly using snappy-java jar. > Can any one please explain what is use of snappy-java in kafka-client or can > we exclude that? > Latest kafka-client also having vulnerable snappy-jar, by when kafka-client > will release next version which is having non-vulnerable snappy-java jar in > it? > cc: [Mickael > Maison|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=mimaison] -- This message was sent by Atlassian Jira (v8.20.10#820010)