Re: CVE-2021-38153: Timing Attack Vulnerability for Apache Kafka Connect and Clients

Hi Randall, Could you please share the JIRA ticket or the fixing commit? It might help to evaluate the impact better. Thank you! Ivan On Tue, 21 Sept 2021 at 19:37, Randall Hauch wrote: > Severity: moderate > > Description: > > Some components in Apache Kafka use `Arrays.equals` to validate

Build failed in Jenkins: Kafka » Kafka Branch Builder » trunk #487

See Changes: -- [...truncated 493361 lines...] [2021-09-22T01:35:02.386Z] [2021-09-22T01:35:02.386Z] DeleteTopicTest > testResumeDeleteTopicOnControllerFailover() PASSED

Jenkins build is still unstable: Kafka » Kafka Branch Builder » 3.0 #138

See

[jira] [Created] (KAFKA-13315) log layer exception during shutdown that caused an unclean shutdown

Cong Ding created KAFKA-13315: - Summary: log layer exception during shutdown that caused an unclean shutdown Key: KAFKA-13315 URL: https://issues.apache.org/jira/browse/KAFKA-13315 Project: Kafka

Re: [VOTE] KIP 771: KRaft brokers should not expose controller metrics

Hello all, Thank you all for the votes! With 3 binding and 1 non-binding vote this KIP will be accepted. Regards, Ryan Dielhenn On Tue, Sep 21, 2021 at 11:44 AM Ismael Juma wrote: > Thanks for the KIP, +1 (binding). > > Ismael > > On Thu, Sep 2, 2021 at 1:20 PM Ryan Dielhenn .invalid> >

Re: [VOTE] KIP 771: KRaft brokers should not expose controller metrics

Thanks for the KIP, +1 (binding). Ismael On Thu, Sep 2, 2021 at 1:20 PM Ryan Dielhenn wrote: > Hello kafka devs, > > I would like to start a vote on KIP-771. This KIP proposes to not expose > controller metrics on KRaft brokers since KRaft brokers are not controller > eligible and will never

Re: [DISCUSS] KIP-774: Deprecate public access to Admin client's *Result constructors

Hi Tom, I think these are all fair points. I was actually part of the group that decided that constructors should not be public. Since then I've noticed that many users find this limiting. I think we should make testability a key criteria for our APIs. Requiring a mocking library for data classes

Build failed in Jenkins: Kafka » Kafka Branch Builder » trunk #486

See Changes: -- [...truncated 489734 lines...] [2021-09-21T18:17:42.201Z] FetchRequestTest > testPartitionDataEquals() STARTED [2021-09-21T18:17:44.146Z]

Re: [DISCUSS] KIP-768: Extend SASL/OAUTHBEARER with Support for OIDC

Hi, Kirk, Thanks for the KIP. Does the proposal support reauthentication outlined in KIP-368? Jun On Wed, Aug 25, 2021 at 8:54 PM Manikumar wrote: > Thanks for the reply, > > Can we also update the KIP about the testing approach? > > Thanks, > > On Wed, Aug 25, 2021 at 12:01 AM Kirk True

Re: [DISCUSS] KIP-774: Deprecate public access to Admin client's *Result constructors

Hi Ismael, I agree that that is a laudable aim, but I couldn't see a good way of achieving that while simultaneously allowing us the ability to evolve the constructor signatures without breaking (or at least having to reason about the compatibility impact of) test code which instantiates them.

[jira] [Created] (KAFKA-13314) Pluggable components initialized with getConfiguredInstance do not respect dynamic config updates

David Mao created KAFKA-13314: - Summary: Pluggable components initialized with getConfiguredInstance do not respect dynamic config updates Key: KAFKA-13314 URL: https://issues.apache.org/jira/browse/KAFKA-13314

CVE-2021-38153: Timing Attack Vulnerability for Apache Kafka Connect and Clients

Severity: moderate Description: Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher

[GitHub] [kafka-site] rhauch merged pull request #375: Add CVE-2021-38153

rhauch merged pull request #375: URL: https://github.com/apache/kafka-site/pull/375 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail:

[ANNOUNCE] Apache Kafka 3.0.0

The Apache Kafka community is pleased to announce the release for Apache Kafka 3.0.0 It is a major release that includes many new features, including: * The deprecation of support for Java 8 and Scala 2.12. * Kafka Raft support for snapshots of the metadata topic and other improvements in the

broken link on download page for "previous to 0.7.0-incubating here."

The link http://sna-projects.com/kafka/downloads.php does not exist, bottom of https://kafka.apache.org/downloads and takes me to the sna-projects.com homepage to buy steroids online. "You can download releases previous to 0.7.0-incubating here ." I

Re: [DISCUSS] KIP-774: Deprecate public access to Admin client's *Result constructors

Hi Tom, You say: "While the creation of Admin mocks with package constructors is not _ergonomic_, it is _possible_. The example code in KIP-692 requires two line of codes for each result instance." Should we not be aiming to make it ergonomic? Ismael On Thu, Sep 9, 2021 at 7:25 AM Tom Bentley

Build failed in Jenkins: Kafka » Kafka Branch Builder » trunk #485

See Changes: -- [...truncated 493729 lines...] [2021-09-21T10:41:21.079Z] > Task :raft:testClasses UP-TO-DATE [2021-09-21T10:41:21.079Z] > Task :connect:json:testJar

Jenkins build is still unstable: Kafka » Kafka Branch Builder » 3.0 #137

See

Re: [VOTE] KIP-774: Deprecate public access to Admin client's *Result constructors

Hi Tom, Thanks for the KIP. I agree with you that we should change it back to non-public for future enhancement. +1 (non-binding) Thank you. Luke On Mon, Sep 20, 2021 at 9:05 PM Josep Prat wrote: > Hi Tom, > > Thanks for the KIP. It's a +1 (non binding) from my side. > > Best, > ——— > Josep

Re: [DISCUSS] KIP-776: Add Consumer#peek for debugging/tuning

Thanks for your feedback, Sagar, Boyang. I've added an additional API to take the Set as the partitions to fetch from. Good suggestion! I also updated the java doc in the KIP. And for the question that the behavior can also be achieved by using manual offset commit + offset position rewind.

Re: [DISCUSS] KIP-775: Custom partitioners in foreign key joins

Thanks for updating the KIP. One nit: The existing methods which accept Named will be marked for deprecation in 4.0. We can skip `in 4.0`. (1) The next release will be 3.1 (not 4.0) and (2) a KIP could always slip into a future release. About `TableJoined`: It seems you propose to add

Re: [DISCUSS] KIP-714: Client metrics and observability

Hi Colin, It was just analogy to say api version is similar to subscription Id. Every request come with api version information, broker can return an error if supported api version has been changed. It’s similar to the role of subscriptionid here. Thanks, Feng On Mon, Sep 20, 2021 at 9:51 PM