You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by "zjfplayer@hotmail.com" <zj...@hotmail.com> on 2023/03/29 02:46:51 UTC

About CVE-2023-25194

Hi,
            Our kafka version is 2.x. I would like to ask everyone, is it risky to upgrade to version 3.4.0 in order to fix CVE-2023-25194? Because there are already customers using our products.
             Also, I would like to ask you how to fix CVE-2023-25194 on version 2.x. I did not find the corresponding commit in the historical commit of 3.4.0. Can someone help me find the corresponding commit record?



zjfplayer@hotmail.com

Re: About CVE-2023-25194

Posted by Luke Chen <sh...@gmail.com>.

Hi,

This is the commit to fix the CVE:
https://github.com/apache/kafka/commit/ae22ec1a0ea005664439c3f45111aa34390ecaa1
2.x upgrades to 3.x includes a major version upgrade, so it'll have some
compatibility issues.
Please check the notable changes for v3.0 here:
https://kafka.apache.org/documentation/#upgrade_300_notable

Thank you.
Luke

On Wed, Mar 29, 2023 at 10:18 PM zjfplayer@hotmail.com <
zjfplayer@hotmail.com> wrote:

> Hi,
>             Our kafka version is 2.x. I would like to ask everyone, is it
> risky to upgrade to version 3.4.0 in order to fix CVE-2023-25194? Because
> there are already customers using our products.
>              Also, I would like to ask you how to fix CVE-2023-25194 on
> version 2.x. I did not find the corresponding commit in the historical
> commit of 3.4.0. Can someone help me find the corresponding commit record?
>
>
>
> zjfplayer@hotmail.com
>

RE: About CVE-2023-25194

Posted by Margaret Figura <ma...@infovista.com.INVALID>.

We recently upgraded from 2.5.0 to 3.3.1. Our usage is pretty simple -- just basic pub/sub with the standard Java producer/consumer, nothing fancy. We just needed to make this one small change in our code:
"The close(long, TimeUnit) method was removed from the producer, consumer and admin client. Please use close(Duration)."

Otherwise, no problems, everything works for us the same as before. That said, it is a major version upgrade, so your mileage may vary!

-Meg

-----Original Message-----
From: zjfplayer@hotmail.com <zj...@hotmail.com> 
Sent: Tuesday, March 28, 2023 10:47 PM
To: users <us...@kafka.apache.org>
Subject: About CVE-2023-25194

CAUTION: External Email : Be wary of clicking links or if this claims to be internal.

Hi,
            Our kafka version is 2.x. I would like to ask everyone, is it risky to upgrade to version 3.4.0 in order to fix CVE-2023-25194? Because there are already customers using our products.
             Also, I would like to ask you how to fix CVE-2023-25194 on version 2.x. I did not find the corresponding commit in the historical commit of 3.4.0. Can someone help me find the corresponding commit record?



zjfplayer@hotmail.com