Skip to content

KAFKA-14044: Upgrade Netty and Jackson versions for CVE fixes#12376

Merged
showuon merged 2 commits intoapache:trunkfrom
tomncooper:netty-jackson-bump
Jul 5, 2022
Merged

KAFKA-14044: Upgrade Netty and Jackson versions for CVE fixes#12376
showuon merged 2 commits intoapache:trunkfrom
tomncooper:netty-jackson-bump

Conversation

@tomncooper
Copy link
Copy Markdown
Contributor

@tomncooper tomncooper commented Jul 4, 2022

KAFKA-14044 Upgrade Netty and Jackson for CVE fixes.

Netty: CVE-2022-24823 - Fixed by upgrading to 4.1.78
Jackson: CVE-2020-36518 - Fixed by upgrading to 2.13.3

tomncooper added 2 commits July 4, 2022 15:59
@tomncooper
Update netty to 4.1.78 to address CVE-2022-24823
24582e4 
Signed-off-by: Thomas Cooper <code@tomcooper.dev>
@tomncooper
Update Jackson to 2.13.3 to address CVE-2020-36518
c6a21d3 
Signed-off-by: Thomas Cooper <code@tomcooper.dev>
showuon
showuon approved these changes Jul 5, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@showuon showuon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for helping fix it.

@showuon
Copy link
Copy Markdown
Member

showuon commented Jul 5, 2022

Failed tests are unrelated.

@showuon showuon merged commit aa73506 into apache:trunk Jul 5, 2022
@showuon showuon changed the title Upgrade Netty and Jackson versions for CVE fixes [KAFKA-14044] KAFKA-14044: Upgrade Netty and Jackson versions for CVE fixes Jul 5, 2022
lmr3796 pushed a commit to lmr3796/kafka that referenced this pull request Jul 21, 2022
@tomncooper @lmr3796
[LI-CHERRY-PICK] Upgrade Netty and Jackson versions for CVE fixes [KA…
5824a90 
…FKA-14044] (apache#12376)

Reviewers: Luke Chen <showuon@gmail.com>

EXIT_CRITERIA=N/A
@lmr3796 lmr3796 mentioned this pull request Jul 21, 2022
Merged
3 tasks
lmr3796 added a commit to linkedin/kafka that referenced this pull request Jul 21, 2022
@lmr3796 @tomncooper
[LI-CHERRY-PICK] Upgrade Netty and Jackson versions for CVE fixes [KA…
e4a79a6 
…FKA-14044] (apache#12376) (#359)

Reviewers: Luke Chen <showuon@gmail.com>

EXIT_CRITERIA=N/A

Co-authored-by: Thomas Cooper <code@tomcooper.dev>
cadonna pushed a commit that referenced this pull request Sep 9, 2022
@tomncooper @cadonna
Upgrade Netty and Jackson versions for CVE fixes [KAFKA-14044] (#12376)
da72c0d 
Reviewers: Luke Chen <showuon@gmail.com>
cadonna pushed a commit that referenced this pull request Sep 9, 2022
@tomncooper @cadonna
Upgrade Netty and Jackson versions for CVE fixes [KAFKA-14044] (#12376)
67bd5b4 
Reviewers: Luke Chen <showuon@gmail.com>
cadonna pushed a commit that referenced this pull request Sep 9, 2022
@tomncooper @cadonna
Upgrade Netty and Jackson versions for CVE fixes [KAFKA-14044] (#12376)
45b8b89 
Reviewers: Luke Chen <showuon@gmail.com>
@cadonna
Copy link
Copy Markdown
Member

cadonna commented Sep 9, 2022

Backported to 3.2, 3.1, 3.0

fmin added a commit to confluentinc/kafka that referenced this pull request Sep 14, 2022
@fmin
Merge remote-tracking branch 'apache-kafka/3.0' into sync-3.0-14-SEP-…
e85a8e0 
…2022

* apache-kafka/3.0: (15 commits)
  MINOR: Update 3.0 branch version to 3.0.3-SNAPSHOT
  Upgrade Netty and Jackson versions for CVE fixes [KAFKA-14044] (apache#12376)
  Bump version to 3.0.2
  KAFKA-10712; Update release scripts to Python3 (apache#11538)
  MINOR: Update LICENSE-binary
  MINOR: Update docs/upgrade.html
  MINOR: Update version to 3.0.2
  MINOR: Add configurable max receive size for SASL authentication requests
  MINOR: Add more validation during KRPC deserialization
  MINOR: Add note on IDEMPOTENT_WRITE ACL to notable changes (apache#12260)
  ...
@fmin fmin mentioned this pull request Sep 14, 2022
Merged
fmin added a commit to confluentinc/kafka that referenced this pull request Sep 14, 2022
@fmin
Merge remote-tracking branch 'apache-kafka/3.1' into sync-upstream-3.…
44e83d1 
…1-14-SEP-2022

* apache-kafka/3.1: (17 commits)
  MINOR: Update 3.1 branch version to 3.1.3-SNAPSHOT
  Upgrade Netty and Jackson versions for CVE fixes [KAFKA-14044] (apache#12376)
  Bump version to 3.1.2
  MINOR: Update LICENSE-binary
  MINOR: Bump version in upgrade guide to 3.1.2
  MINOR: Add configurable max receive size for SASL authentication requests
  MINOR: Add more validation during KRPC deserialization
  MINOR: Add note on IDEMPOTENT_WRITE ACL to notable changes (apache#12260)
  KAFKA-14107: Upgrade Jetty version for CVE fixes (apache#12440)
  KAFKA-14062: OAuth client token refresh fails with SASL extensions (apache#12398)
  ...
fmin added a commit to confluentinc/kafka that referenced this pull request Sep 14, 2022
@fmin
Merge remote-tracking branch 'apache-kafka/3.2' into sync-upstream-3.…
b687578 
…2-14-SEP-2022

* apache-kafka/3.2: (45 commits)
  MINOR: Bump version in upgrade guide to 3.2.3
  KAFKA-14208; Do not raise wakeup in consumer during asynchronous offset commits (apache#12626)
  KAFKA-14196; Do not continue fetching partitions awaiting auto-commit prior to revocation (apache#12603)
  MINOR: 3.2 branch version to 3.2.3-SNAPSHOT
  Bump version to 3.2.2
  Upgrade Netty and Jackson versions for CVE fixes [KAFKA-14044] (apache#12376)
  KAFKA-14194: Fix NPE in Cluster.nodeIfOnline (apache#12584)
  MINOR: Update LICENSE-binary
  MINOR: Align Scala version to 2.13.8
  MINOR: Bump version in upgrade guide to 3.2.2
  ...
@fmin fmin mentioned this pull request Sep 14, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@showuon showuon showuon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tomncooper @showuon @cadonna