Will CVE-2021-38153 be remediated in a spring-kafka 2.x release? #2095
-
|
We have been waiting for a version of spring-kafka which includes kafka-clients 2.8.1 or higher, to remediate CVE-2021-38153 Have been trying to follow where this will arrive. If I read right, the fix is in v3.0.0-M1. Two questions follow
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 7 replies
-
|
There is already Spring for Apache Kafka
So, what do we miss, please? |
Beta Was this translation helpful? Give feedback.
-
|
But also see this https://docs.spring.io/spring-kafka/docs/current/reference/html/#update-deps if you are using the embedded broker for testing on Windows. |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks again @garyrussell Is there any other reference I could cite regarding false positive status? |
Beta Was this translation helpful? Give feedback.
-
|
After further review, there is some client side code affected. However, please note that we were able to convince them to release 2.7.2 and 2.6.3, also including the fix, used by the latest spring-kafka 2.7.x and 2.6.x respectively. |
Beta Was this translation helpful? Give feedback.
-
|
Side question: Do tags with name including |
Beta Was this translation helpful? Give feedback.
-
|
We no longer use the 2.8.2 is the latest stable release. Prereleases remain as -M1, -M2, -RC1, etc. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
Great. Thank you |
Beta Was this translation helpful? Give feedback.
There is already Spring for Apache Kafka
2.8.2: https://github.com/spring-projects/spring-kafka/releases/tag/v2.8.2, which is based onkafka-clients-3.0.0for a while.According that CVE:
So, what do we miss, please?
The latest GA version of
spring-kafkais fully covered for that CVE.