You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2022/10/17 12:58:48 UTC

[GitHub] [logging-log4j2] ppkarwasz commented on pull request #1111: fix(sec): upgrade org.apache.kafka:kafka-clients to 2.7.2

ppkarwasz commented on PR #1111:
URL: https://github.com/apache/logging-log4j2/pull/1111#issuecomment-1280821401

   @eurrio,
   
   IMHO and according to [MvnRepository](https://mvnrepository.com/artifact/org.apache.kafka/kafka-clients) that CVE does not apply to any Kafka client (as opposed to [Kafka servers](https://mvnrepository.com/artifact/org.apache.kafka/kafka)). There is no security reason to upgrade our `kafka-clients` version.
   
   Due to the stability of Kafka's Producer API the `KafkaAppender` can use **any** Kafka client version from 1.1.1 onwards: check our [Kafka tests](https://github.com/apache/logging-log4j2/actions/workflows/log4j-kafka-test.yml).
   
   So the only question that remains is: which version should we advertise in our POM file. @rgoers: any ideas? I don't want to "upgrade" to the latest version to show people that we also support older revisions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org