You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Dongjin Lee (Jira)" <ji...@apache.org> on 2021/12/08 11:54:00 UTC

[jira] [Assigned] (KAFKA-13518) Update gson and netty-codec in 3.0.0

     [ https://issues.apache.org/jira/browse/KAFKA-13518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dongjin Lee reassigned KAFKA-13518:
-----------------------------------

    Assignee: Dongjin Lee

> Update gson and netty-codec in 3.0.0
> ------------------------------------
>
>                 Key: KAFKA-13518
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13518
>             Project: Kafka
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.0.0
>            Reporter: Pavel Kuznetsov
>            Assignee: Dongjin Lee
>            Priority: Major
>              Labels: security
>
> *Describe the bug*
> I checked kafka_2.13-3.0.0.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities.
> Here they are:
> * gson-2.8.6.jar has WS-2021-0419 vulnerability. The way to fix it is to upgrade to com.google.code.gson:gson:2.8.9
> * netty-codec-4.1.65.Final.jar has CVE-2021-37136 and CVE-2021-37137 vulnerabilities. The way to fix it is to upgrade to io.netty:netty-codec:4.1.68.Final
> *To Reproduce*
> Download kafka_2.13-3.0.0.tgz and find jars, listed above.
> Check that these jars with corresponding versions are mentioned in corresponding vulnerability description.
> *Expected behavior*
> * gson upgraded to 2.8.9 or higher
> * netty-codec upgraded to 4.1.68.Final or higher
> *Actual behaviour*
> * gson is 2.8.6
> * netty-codec is 4.1.65.Final



--
This message was sent by Atlassian Jira
(v8.20.1#820001)