Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image

[Colin McCabe <cm...@apache.org>]

It seems like your image does not show up on the mailing list.

best,
Colin

On Wed, Sep 1, 2021, at 06:26, Ashish Patil wrote:
> Hi Team
>  
> I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities.
>  
> 
>  
> What is your suggestion on this?
>  
> Thanks
> Ashish
>  
> *From:* Jake Murphy Smith <ja...@gm.com> 
> *Sent:* 01 September 2021 09:31
> *To:* Ashish Patil <as...@gm.com>
> *Subject:* RE: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
>  
>  
>  
> *From:* Luke Chen <sh...@gmail.com> 
> *Sent:* 01 September 2021 04:11
> *To:* Kafka Users <us...@kafka.apache.org>
> *Cc:* dev@kafka.apache.org; Jake Murphy Smith <ja...@gm.com>
> *Subject:* [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
>  
> *ATTENTION:* This email originated from outside of GM.
> 
>  
> 
> Hi Ashish,
> I suggested that you upgrade to V2.8.
> I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in V2.8.
> If you still found the CVEs existed in V2.8, please raise it.
>  
> Thank you.
> Luke
>  
>  
>  
>  
> On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil <as...@gm.com> wrote:
>> Hi Team
>> 
>> I wanted to use the 2.6.0 docker image for Kafka but It has lots of security vulnerabilities.
>> Please find the below list of security vulnerabilities
>> **
>> CVE-2021-36159
>> CVE-2020-25649 <https://github.com/advisories/GHSA-288c-cq4h-88gq>
>> CVE-2021-22926
>> CVE-2021-22922
>> CVE-2021-22924
>> CVE-2021-22922
>> CVE-2021-22924
>> CVE-2021-31535
>> CVE-2019-17571 <https://github.com/advisories/GHSA-2qrg-x229-3v8q>
>> **
>> 
>> I did raise this issue here https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like the issue is within the Kafka binary.
>> 
>>  
>> 
>> Do we have any plan to fix this in the coming version or any suggestions around this?
>> 
>> Thanks
>> Ashish