You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2022/07/26 12:32:39 UTC

[GitHub] [kafka] ajborley opened a new pull request, #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes

ajborley opened a new pull request, #12440:
URL: https://github.com/apache/kafka/pull/12440

   KAFKA-14107 Upgrade Jetty for CVE fixes.
   
   Jetty: [CVE-2022-2048](https://nvd.nist.gov/vuln/detail/CVE-2022-2048)
   and [CVE-2022-2047](https://nvd.nist.gov/vuln/detail/CVE-2022-2047)
   - Fixed by upgrading to 9.4.48.v20220622
   
   Signed-off-by: Andrew Borley <BO...@uk.ibm.com>
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] mimaison commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes

Posted by GitBox <gi...@apache.org>.

mimaison commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1207072464

   Backported to 3.3, 3.2, 3.1, 3.0 and 2.8.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] afreeland commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes

Posted by GitBox <gi...@apache.org>.

afreeland commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1206775801

   Would love to see this get merged in, seen this failing in our container scans as well.  Originally thought it was something in our base image and then discovered it was Kafka.  
   
   Honestly, not very familiar with jetty but is it currently possible to upgrade the jetty-io package independently for existing containers?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] mimaison commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes

Posted by GitBox <gi...@apache.org>.

mimaison commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1206887958

   I believe Kafka may only be affected by [CVE-2022-2047](https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q). [CVE-2022-2048](https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j) is an issue in http2-server which is not used by Kafka.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] pranayk01 commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes

Posted by GitBox <gi...@apache.org>.

pranayk01 commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1257515940

   Hi, is this the fix for CVE-2022-34917 as well?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] mimaison merged pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes

Posted by GitBox <gi...@apache.org>.

mimaison merged PR #12440:
URL: https://github.com/apache/kafka/pull/12440


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] ajborley commented on pull request #12440: KAFKA-14107: Upgrade Jetty version for CVE fixes

Posted by GitBox <gi...@apache.org>.

ajborley commented on PR #12440:
URL: https://github.com/apache/kafka/pull/12440#issuecomment-1257571494

   No, this is just a dependency update. The fix must have been in either https://github.com/apache/kafka/pull/12603 or https://github.com/apache/kafka/pull/12626 as those are the only changes between 3.2.2 and 3.2.3


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org