You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by ji...@gmail.com, ji...@gmail.com on 2019/04/30 01:35:05 UTC

Re: Guava version upgrade


On 2019/03/15 16:44:32, "Colin McCabe" <cm...@apache.org> wrote: 
> Hi JIAHAO,
> 
> Kafka does not use Guava.
> 
> Some of the packages Kafka Connect depend on use Guava.  Perhaps the right thing to do is track down those projects and see how they are using Guava (if they are vulnerable to the CVE).
> 
> best,
> Colin
> 
> 
> On Mon, Mar 4, 2019, at 15:52, JIAHAO ZHOU wrote:
> > Hello,
> > when downloading Kafka 2.1.1, the  kafka_2.12-2.1.1.tgz still contains
> > guava-20.0.jar. This guava version currently has a vulnerability
> > described here: https://github.com/google/guava/wiki/CVE-2018-10237
> > The version 24.1.1 and 25.0+ are fixed version.
> > Are there any plans to upgrade this dependency?
> > 
> > Regards
> > Jiahao Zhou
> >
> Thanks Colin