Pavel Kuznetsov created KAFKA-13518: ---------------------------------------
Summary: Update gson and netty-codec in 3.0.0 Key: KAFKA-13518 URL: https://issues.apache.org/jira/browse/KAFKA-13518 Project: Kafka Issue Type: Bug Components: core Affects Versions: 3.0.0 Reporter: Pavel Kuznetsov *Describe the bug* I checked kafka_2.13-3.0.0.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities. Here they are: * gson-2.8.6.jar has WS-2021-0419 vulnerability. The way to fix it is to upgrade to com.google.code.gson:gson:2.8.9 * netty-codec-4.1.65.Final.jar has CVE-2021-37136 and CVE-2021-37137 vulnerabilities. The way to fix it is to upgrade to io.netty:netty-codec:4.1.68.Final *To Reproduce* Download kafka_2.13-3.0.0.tgz and find jars, listed above. Check that these jars with corresponding versions are mentioned in corresponding vulnerability description. *Expected behavior* * gson upgraded to 2.8.9 or higher * netty-codec upgraded to 4.1.68.Final or higher *Actual behaviour* * gson is 2.8.6 * netty-codec is 4.1.65.Final -- This message was sent by Atlassian Jira (v8.20.1#820001)