subject:"\[jira\] \[Commented\] \(KAFKA\-15487\) CVE\-2023\-40167, CVE\-2023\-36479 \- Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1"

[jira] [Commented] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1

2023-09-26 Thread Divij Vaidya (Jira)



[ 
https://issues.apache.org/jira/browse/KAFKA-15487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17769066#comment-17769066
 ] 

Divij Vaidya commented on KAFKA-15487:
--

We have backported this to all community supported versions (3.4, 3.5, 3.6) as 
per EOL policy at 
[https://cwiki.apache.org/confluence/display/KAFKA/Time+Based+Release+Plan#TimeBasedReleasePlan-WhatIsOurEOLPolicy?]
We have an upcoming 3.6.0 release which will contain this upgrade but we don't 
have 3.5.2 or 3.4.2 planned as of yet.

If you have thoughts on Apache Kafka's EOL policy, please participate in the 
discussion at 
[https://lists.apache.org/thread/tzx4zkhfz26joq5ydq70bxcfr3zwy1hk] 

> CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 
> 12.0.1
> --
>
> Key: KAFKA-15487
> URL: https://issues.apache.org/jira/browse/KAFKA-15487
> Project: Kafka
>  Issue Type: Bug
>Affects Versions: 2.7.0, 2.6.1, 3.4.1, 3.6.0, 3.5.1
>Reporter: Rafael Rios Saavedra
>Assignee: Divij Vaidya
>Priority: Major
>  Labels: CVE, security
> Fix For: 3.6.0, 3.4.2, 3.5.2
>
>
> CVE-2023-40167 and CVE-2023-36479 vulnerabilities affects Jetty version 
> {*}9.4.51{*}. For more information see 
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167] 
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-364749] 
> Upgrading to Jetty version *9.4.52, 10.0.16, 11.0.16, 12.0.1* should address 
> this issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1

2023-09-25 Thread Divij Vaidya (Jira)



[ 
https://issues.apache.org/jira/browse/KAFKA-15487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17768595#comment-17768595
 ] 

Divij Vaidya commented on KAFKA-15487:
--

[~dongjin] I am assigning this ticket to myself since we have to move a bit 
faster on this JIRA. I have started a PR 
[https://github.com/apache/kafka/pull/14438] for this.

> CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 
> 12.0.1
> --
>
> Key: KAFKA-15487
> URL: https://issues.apache.org/jira/browse/KAFKA-15487
> Project: Kafka
>  Issue Type: Bug
>Affects Versions: 2.7.0, 2.6.1, 3.4.1, 3.6.0, 3.5.1
>Reporter: Rafael Rios Saavedra
>Assignee: Dongjin Lee
>Priority: Major
>  Labels: CVE, security
> Fix For: 2.8.0, 2.7.1, 2.6.2, 3.0.0
>
>
> CVE-2023-40167 and CVE-2023-36479 vulnerabilities affects Jetty version 
> {*}9.4.51{*}. For more information see 
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167] 
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-364749] 
> Upgrading to Jetty version *9.4.52, 10.0.16, 11.0.16, 12.0.1* should address 
> this issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1

2023-09-22 Thread Divij Vaidya (Jira)



[ 
https://issues.apache.org/jira/browse/KAFKA-15487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17768031#comment-17768031
 ] 

Divij Vaidya commented on KAFKA-15487:
--

Current release candidate 3.6 uses Jetty 9.4.51 [1], hence all versions of 
Kafka are impacted by the CVE [2].

I have started a conversation with Kafka's security team about this. Let us get 
back to you on this. In future, the preferred way to report security issues is 
by emailing [secur...@kafka.apache.org|mailto:secur...@kafka.apache.org] with 
the details.

[1] 
[https://github.com/apache/kafka/blame/e8dffea9ab9c02b6c6a862de11439ad0ff6bf2c5/gradle/dependencies.gradle#L93]
 
[2] 
[https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6]
 

> CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 
> 12.0.1
> --
>
> Key: KAFKA-15487
> URL: https://issues.apache.org/jira/browse/KAFKA-15487
> Project: Kafka
>  Issue Type: Bug
>Affects Versions: 2.7.0, 2.6.1
>Reporter: Rafael Rios Saavedra
>Assignee: Dongjin Lee
>Priority: Major
>  Labels: CVE, security
> Fix For: 2.8.0, 2.7.1, 2.6.2, 3.0.0
>
>
> CVE-2023-40167 and CVE-2023-36479 vulnerabilities affects Jetty version 
> {*}9.4.51{*}. For more information see 
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167] 
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-364749] 
> Upgrading to Jetty version *9.4.52, 10.0.16, 11.0.16, 12.0.1* should address 
> this issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1

[jira] [Commented] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1

[jira] [Commented] (KAFKA-15487) CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1

3 matches

Site Navigation

Mail list logo

Footer information