You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Dongjin Lee (Jira)" <ji...@apache.org> on 2021/07/08 12:20:00 UTC
[jira] [Resolved] (KAFKA-13048) Update vulnerable dependencies in
2.8.0
[ https://issues.apache.org/jira/browse/KAFKA-13048?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dongjin Lee resolved KAFKA-13048.
---------------------------------
Resolution: Duplicate
> Update vulnerable dependencies in 2.8.0
> ---------------------------------------
>
> Key: KAFKA-13048
> URL: https://issues.apache.org/jira/browse/KAFKA-13048
> Project: Kafka
> Issue Type: Bug
> Components: core, KafkaConnect
> Affects Versions: 2.8.0
> Reporter: Pavel Kuznetsov
> Priority: Major
> Labels: security
>
> **Describe the bug**
> I checked kafka_2.13-2.8.0.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities.
> Here they are:
> - jetty-http-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-http:9.4.41.v20210516
> - jetty-server-9.4.40.v20210413.jar has CVE-2021-28169 and CVE-2021-34428 vulnerabilities. The way to fix it is to upgrade to org.eclipse.jetty:jetty-server:9.4.41.v20210516
> - jetty-servlets-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-servlets:9.4.41.v20210516
> **To Reproduce**
> Download kafka_2.13-2.8.0.tgz and find jars, listed above.
> Check that these jars with corresponding versions are mentioned in corresponding vulnerability description.
> **Expected behavior**
> - jetty-http upgraded to 9.4.41.v20210516 or higher
> - jetty-server upgraded to 9.4.41.v20210516 or higher
> - jetty-servlets upgraded to 9.4.41.v20210516 or higher
> **Actual behaviour**
> - jetty-http is 9.4.40.v20210413
> - jetty-server is 9.4.40.v20210413
> - jetty-servlets is 9.4.40.v20210413
--
This message was sent by Atlassian Jira
(v8.3.4#803005)