You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Pavel Kuznetsov (Jira)" <ji...@apache.org> on 2021/12/08 10:14:00 UTC
[jira] [Created] (KAFKA-13518) Update gson and netty-codec in 3.0.0
Pavel Kuznetsov created KAFKA-13518:
---------------------------------------
Summary: Update gson and netty-codec in 3.0.0
Key: KAFKA-13518
URL: https://issues.apache.org/jira/browse/KAFKA-13518
Project: Kafka
Issue Type: Bug
Components: core
Affects Versions: 3.0.0
Reporter: Pavel Kuznetsov
*Describe the bug*
I checked kafka_2.13-3.0.0.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities.
Here they are:
* gson-2.8.6.jar has WS-2021-0419 vulnerability. The way to fix it is to upgrade to com.google.code.gson:gson:2.8.9
* netty-codec-4.1.65.Final.jar has CVE-2021-37136 and CVE-2021-37137 vulnerabilities. The way to fix it is to upgrade to io.netty:netty-codec:4.1.68.Final
*To Reproduce*
Download kafka_2.13-3.0.0.tgz and find jars, listed above.
Check that these jars with corresponding versions are mentioned in corresponding vulnerability description.
*Expected behavior*
* gson upgraded to 2.8.9 or higher
* netty-codec upgraded to 4.1.68.Final or higher
*Actual behaviour*
* gson is 2.8.6
* netty-codec is 4.1.65.Final
--
This message was sent by Atlassian Jira
(v8.20.1#820001)