You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Pavel Kuznetsov (Jira)" <ji...@apache.org> on 2021/12/08 10:14:00 UTC

[jira] [Created] (KAFKA-13518) Update gson and netty-codec in 3.0.0

Pavel Kuznetsov created KAFKA-13518:
---------------------------------------

             Summary: Update gson and netty-codec in 3.0.0
                 Key: KAFKA-13518
                 URL: https://issues.apache.org/jira/browse/KAFKA-13518
             Project: Kafka
          Issue Type: Bug
          Components: core
    Affects Versions: 3.0.0
            Reporter: Pavel Kuznetsov


*Describe the bug*
I checked kafka_2.13-3.0.0.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities.
Here they are:
* gson-2.8.6.jar has WS-2021-0419 vulnerability. The way to fix it is to upgrade to com.google.code.gson:gson:2.8.9
* netty-codec-4.1.65.Final.jar has CVE-2021-37136 and CVE-2021-37137 vulnerabilities. The way to fix it is to upgrade to io.netty:netty-codec:4.1.68.Final

*To Reproduce*
Download kafka_2.13-3.0.0.tgz and find jars, listed above.
Check that these jars with corresponding versions are mentioned in corresponding vulnerability description.

*Expected behavior*

* gson upgraded to 2.8.9 or higher
* netty-codec upgraded to 4.1.68.Final or higher

*Actual behaviour*

* gson is 2.8.6
* netty-codec is 4.1.65.Final



--
This message was sent by Atlassian Jira
(v8.20.1#820001)