You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Ismael Juma (Jira)" <ji...@apache.org> on 2021/05/31 17:48:00 UTC
[jira] [Commented] (KAFKA-12869) Update vulnerable dependencies
[ https://issues.apache.org/jira/browse/KAFKA-12869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17354604#comment-17354604 ]
Ismael Juma commented on KAFKA-12869:
-------------------------------------
Thanks for the report. Have you checked if these have already been fixed in trunk?
> Update vulnerable dependencies
> ------------------------------
>
> Key: KAFKA-12869
> URL: https://issues.apache.org/jira/browse/KAFKA-12869
> Project: Kafka
> Issue Type: Bug
> Components: core, KafkaConnect
> Affects Versions: 2.7.1
> Reporter: Pavel Kuznetsov
> Priority: Major
> Labels: security
>
> *Description*
> I checked kafka_2.13-2.7.1.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities.
> Here they are:
> * jetty-io-9.4.38.v20210224.jar has CVE-2021-28165 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-io:9.4.39 or org.eclipse.jetty:jetty-io:10.0.2 or org.eclipse.jetty:jetty-io:11.0.2
> * jersey-common-2.31.jar has CVE-2021-28168 vulnerability. The way to fix it is to upgrade to org.glassfish.jersey.core:jersey-common:2.34
> * jetty-server-9.4.38.v20210224.jar has CVE-2021-28164 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-webapp:9.4.39
> *To Reproduce*
> Download kafka_2.13-2.7.1.tgz and find jars, listed above.
> Check that these jars with corresponding versions are mentioned in corresponding vulnerability description.
> *Expected*
> * jetty-io upgraded to 9.4.39 or higher
> * jersey-common upgraded to 2.34 or higher
> * jetty-server upgraded to jetty-webapp:9.4.39 or higher
> *Actual*
> * jetty-io is 9.4.38
> * jersey-common is 2.31
> * jetty-server is 9.4.38
--
This message was sent by Atlassian Jira
(v8.3.4#803005)