You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Colin McCabe <cm...@apache.org> on 2021/11/01 21:04:01 UTC
Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker
image
It seems like your image does not show up on the mailing list.
best,
Colin
On Wed, Sep 1, 2021, at 06:26, Ashish Patil wrote:
> Hi Team
>
> I tried upgrading it to 2.13_2.8.0 but still have these vulnerabilities.
>
>
>
> What is your suggestion on this?
>
> Thanks
> Ashish
>
> *From:* Jake Murphy Smith <ja...@gm.com>
> *Sent:* 01 September 2021 09:31
> *To:* Ashish Patil <as...@gm.com>
> *Subject:* RE: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
>
>
>
> *From:* Luke Chen <sh...@gmail.com>
> *Sent:* 01 September 2021 04:11
> *To:* Kafka Users <us...@kafka.apache.org>
> *Cc:* dev@kafka.apache.org; Jake Murphy Smith <ja...@gm.com>
> *Subject:* [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image
>
> *ATTENTION:* This email originated from outside of GM.
>
>
>
> Hi Ashish,
> I suggested that you upgrade to V2.8.
> I checked 2 of the CVEs, and are fixed (or not used, like libfetch) in V2.8.
> If you still found the CVEs existed in V2.8, please raise it.
>
> Thank you.
> Luke
>
>
>
>
> On Wed, Sep 1, 2021 at 4:07 AM Ashish Patil <as...@gm.com> wrote:
>> Hi Team
>>
>> I wanted to use the 2.6.0 docker image for Kafka but It has lots of security vulnerabilities.
>> Please find the below list of security vulnerabilities
>> **
>> CVE-2021-36159
>> CVE-2020-25649 <https://github.com/advisories/GHSA-288c-cq4h-88gq>
>> CVE-2021-22926
>> CVE-2021-22922
>> CVE-2021-22924
>> CVE-2021-22922
>> CVE-2021-22924
>> CVE-2021-31535
>> CVE-2019-17571 <https://github.com/advisories/GHSA-2qrg-x229-3v8q>
>> **
>>
>> I did raise this issue here https://github.com/wurstmeister/kafka-docker/issues/681 but it looks like the issue is within the Kafka binary.
>>
>>
>>
>> Do we have any plan to fix this in the coming version or any suggestions around this?
>>
>> Thanks
>> Ashish