You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by ji...@gmail.com,
ji...@gmail.com on 2019/04/30 01:35:05 UTC
Re: Guava version upgrade
On 2019/03/15 16:44:32, "Colin McCabe" <cm...@apache.org> wrote:
> Hi JIAHAO,
>
> Kafka does not use Guava.
>
> Some of the packages Kafka Connect depend on use Guava. Perhaps the right thing to do is track down those projects and see how they are using Guava (if they are vulnerable to the CVE).
>
> best,
> Colin
>
>
> On Mon, Mar 4, 2019, at 15:52, JIAHAO ZHOU wrote:
> > Hello,
> > when downloading Kafka 2.1.1, the kafka_2.12-2.1.1.tgz still contains
> > guava-20.0.jar. This guava version currently has a vulnerability
> > described here: https://github.com/google/guava/wiki/CVE-2018-10237
> > The version 24.1.1 and 25.0+ are fixed version.
> > Are there any plans to upgrade this dependency?
> >
> > Regards
> > Jiahao Zhou
> >
> Thanks Colin