On 2019/03/15 16:44:32, "Colin McCabe" wrote:
> Hi JIAHAO,
>
> Kafka does not use Guava.
>
> Some of the packages Kafka Connect depend on use Guava. Perhaps the right
> thing to do is track down those projects and see how they are using Guava (if
> they are vulnerable to the CVE).
>
>
Hi JIAHAO,
Kafka does not use Guava.
Some of the packages Kafka Connect depend on use Guava. Perhaps the right
thing to do is track down those projects and see how they are using Guava (if
they are vulnerable to the CVE).
best,
Colin
On Mon, Mar 4, 2019, at 15:52, JIAHAO ZHOU wrote:
>
Hello,
when downloading Kafka 2.1.1, the kafka_2.12-2.1.1.tgz still contains
guava-20.0.jar. This guava version currently has a vulnerability
described here: https://github.com/google/guava/wiki/CVE-2018-10237
The version 24.1.1 and 25.0+ are fixed version.
Are there any plans to upgrade this