[jira] [Commented] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1
[ https://issues.apache.org/jira/browse/KAFKA-15487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17769066#comment-17769066 ] Divij Vaidya commented on KAFKA-15487: -- We have backported this to all community supported versions (3.4, 3.5, 3.6) as per EOL policy at [https://cwiki.apache.org/confluence/display/KAFKA/Time+Based+Release+Plan#TimeBasedReleasePlan-WhatIsOurEOLPolicy?] We have an upcoming 3.6.0 release which will contain this upgrade but we don't have 3.5.2 or 3.4.2 planned as of yet. If you have thoughts on Apache Kafka's EOL policy, please participate in the discussion at [https://lists.apache.org/thread/tzx4zkhfz26joq5ydq70bxcfr3zwy1hk] > CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, > 12.0.1 > -- > > Key: KAFKA-15487 > URL: https://issues.apache.org/jira/browse/KAFKA-15487 > Project: Kafka > Issue Type: Bug >Affects Versions: 2.7.0, 2.6.1, 3.4.1, 3.6.0, 3.5.1 >Reporter: Rafael Rios Saavedra >Assignee: Divij Vaidya >Priority: Major > Labels: CVE, security > Fix For: 3.6.0, 3.4.2, 3.5.2 > > > CVE-2023-40167 and CVE-2023-36479 vulnerabilities affects Jetty version > {*}9.4.51{*}. For more information see > [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167] > [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-364749] > Upgrading to Jetty version *9.4.52, 10.0.16, 11.0.16, 12.0.1* should address > this issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1
[ https://issues.apache.org/jira/browse/KAFKA-15487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17768595#comment-17768595 ] Divij Vaidya commented on KAFKA-15487: -- [~dongjin] I am assigning this ticket to myself since we have to move a bit faster on this JIRA. I have started a PR [https://github.com/apache/kafka/pull/14438] for this. > CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, > 12.0.1 > -- > > Key: KAFKA-15487 > URL: https://issues.apache.org/jira/browse/KAFKA-15487 > Project: Kafka > Issue Type: Bug >Affects Versions: 2.7.0, 2.6.1, 3.4.1, 3.6.0, 3.5.1 >Reporter: Rafael Rios Saavedra >Assignee: Dongjin Lee >Priority: Major > Labels: CVE, security > Fix For: 2.8.0, 2.7.1, 2.6.2, 3.0.0 > > > CVE-2023-40167 and CVE-2023-36479 vulnerabilities affects Jetty version > {*}9.4.51{*}. For more information see > [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167] > [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-364749] > Upgrading to Jetty version *9.4.52, 10.0.16, 11.0.16, 12.0.1* should address > this issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1
[ https://issues.apache.org/jira/browse/KAFKA-15487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17768031#comment-17768031 ] Divij Vaidya commented on KAFKA-15487: -- Current release candidate 3.6 uses Jetty 9.4.51 [1], hence all versions of Kafka are impacted by the CVE [2]. I have started a conversation with Kafka's security team about this. Let us get back to you on this. In future, the preferred way to report security issues is by emailing [secur...@kafka.apache.org|mailto:secur...@kafka.apache.org] with the details. [1] [https://github.com/apache/kafka/blame/e8dffea9ab9c02b6c6a862de11439ad0ff6bf2c5/gradle/dependencies.gradle#L93] [2] [https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6] > CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, > 12.0.1 > -- > > Key: KAFKA-15487 > URL: https://issues.apache.org/jira/browse/KAFKA-15487 > Project: Kafka > Issue Type: Bug >Affects Versions: 2.7.0, 2.6.1 >Reporter: Rafael Rios Saavedra >Assignee: Dongjin Lee >Priority: Major > Labels: CVE, security > Fix For: 2.8.0, 2.7.1, 2.6.2, 3.0.0 > > > CVE-2023-40167 and CVE-2023-36479 vulnerabilities affects Jetty version > {*}9.4.51{*}. For more information see > [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167] > [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-364749] > Upgrading to Jetty version *9.4.52, 10.0.16, 11.0.16, 12.0.1* should address > this issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)