You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2022/07/26 12:32:39 UTC
[GitHub] [kafka] ajborley opened a new pull request, #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes
ajborley opened a new pull request, #12440:
URL: https://github.com/apache/kafka/pull/12440
KAFKA-14107 Upgrade Jetty for CVE fixes.
Jetty: [CVE-2022-2048](https://nvd.nist.gov/vuln/detail/CVE-2022-2048)
and [CVE-2022-2047](https://nvd.nist.gov/vuln/detail/CVE-2022-2047)
- Fixed by upgrading to 9.4.48.v20220622
Signed-off-by: Andrew Borley <BO...@uk.ibm.com>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] mimaison commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes
Posted by GitBox <gi...@apache.org>.
mimaison commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1207072464
Backported to 3.3, 3.2, 3.1, 3.0 and 2.8.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] afreeland commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes
Posted by GitBox <gi...@apache.org>.
afreeland commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1206775801
Would love to see this get merged in, seen this failing in our container scans as well. Originally thought it was something in our base image and then discovered it was Kafka.
Honestly, not very familiar with jetty but is it currently possible to upgrade the jetty-io package independently for existing containers?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] mimaison commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes
Posted by GitBox <gi...@apache.org>.
mimaison commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1206887958
I believe Kafka may only be affected by [CVE-2022-2047](https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q). [CVE-2022-2048](https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j) is an issue in http2-server which is not used by Kafka.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] pranayk01 commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes
Posted by GitBox <gi...@apache.org>.
pranayk01 commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1257515940
Hi, is this the fix for CVE-2022-34917 as well?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] mimaison merged pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes
Posted by GitBox <gi...@apache.org>.
mimaison merged PR #12440:
URL: https://github.com/apache/kafka/pull/12440
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] ajborley commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes
Posted by GitBox <gi...@apache.org>.
ajborley commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1257571494
No, this is just a dependency update. The fix must have been in either https://github.com/apache/kafka/pull/12603 or https://github.com/apache/kafka/pull/12626 as those are the only changes between 3.2.2 and 3.2.3
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org