You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2022/10/12 11:39:35 UTC

[GitHub] [logging-log4j2] eurrio opened a new pull request, #1111: fix(sec): upgrade org.apache.kafka:kafka-clients to 2.7.2

eurrio opened a new pull request, #1111:
URL: https://github.com/apache/logging-log4j2/pull/1111

   ### What happened？
   There are 1 security vulnerabilities found in org.apache.kafka:kafka-clients 1.1.1
   - [CVE-2021-38153](https://www.oscs1024.com/hd/CVE-2021-38153)
   
   
   ### What did I do？
   Upgrade org.apache.kafka:kafka-clients from 1.1.1 to 2.7.2 for vulnerability fix
   
   ### What did you expect to happen？
   Ideally, no insecure libs should be used.
   
   ### How was this patch tested?
   Run `mvn compile` failed locally, couldn't complete the build process.
   Run `mvn clean test` failed locally, unit-test couldn't pass.
   
   ### The specification of the pull request
   [PR Specification](https://www.oscs1024.com/docs/pr-specification/) from OSCS


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [logging-log4j2] ppkarwasz commented on pull request #1111: fix(sec): upgrade org.apache.kafka:kafka-clients to 2.7.2

Posted by GitBox <gi...@apache.org>.

ppkarwasz commented on PR #1111:
URL: https://github.com/apache/logging-log4j2/pull/1111#issuecomment-1280821401

   @eurrio,
   
   IMHO and according to [MvnRepository](https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients) that CVE does not apply to any Kafka client (as opposed to [Kafka servers](https://mvnrepository.com/artifact/org.apache.kafka/kafka)). There is no security reason to upgrade our `kafka-clients` version.
   
   Due to the stability of Kafka's Producer API the `KafkaAppender` can use **any** Kafka client version from 1.1.1 onwards: check our [Kafka tests](https://github.com/apache/logging-log4j2/actions/workflows/log4j-kafka-test.yml).
   
   So the only question that remains is: which version should we advertise in our POM file. @rgoers: any ideas? I don't want to "upgrade" to the latest version to show people that we also support older revisions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [logging-log4j2] eurrio closed pull request #1111: fix(sec): upgrade org.apache.kafka:kafka-clients to 2.7.2

Posted by GitBox <gi...@apache.org>.

eurrio closed pull request #1111: fix(sec): upgrade org.apache.kafka:kafka-clients to 2.7.2
URL: https://github.com/apache/logging-log4j2/pull/1111


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org