KAFKA-14107: Upgrade Jetty version for CVE fixes#12440
Merged
mimaison merged 1 commit intoapache:trunkfrom Aug 5, 2022
Merged
Conversation
KAFKA-14107 Upgrade Jetty for CVE fixes. Jetty: [CVE-2022-2048](https://nvd.nist.gov/vuln/detail/CVE-2022-2048) and [CVE-2022-2047](https://nvd.nist.gov/vuln/detail/CVE-2022-2047) - Fixed by upgrading to 9.4.48.v20220622 Signed-off-by: Andrew Borley <BORLEY@uk.ibm.com>
|
Would love to see this get merged in, seen this failing in our container scans as well. Originally thought it was something in our base image and then discovered it was Kafka. It appears to be in 3.2 and 3.3 just from a quick check...I am using 3.2 when I initially noticed this. Honestly, not very familiar with jetty but is it currently possible to upgrade the jetty-io package independently for existing containers? |
afreeland
approved these changes
Aug 5, 2022
Member
|
I believe Kafka may only be affected by CVE-2022-2047. CVE-2022-2048 is an issue in http2-server which is not used by Kafka. |
mimaison
pushed a commit
that referenced
this pull request
Aug 5, 2022
Reviewers: Mickael Maison <mickael.maison@gmail.com>, Aaron Freeland <afreeland@gmail.com>
mimaison
pushed a commit
that referenced
this pull request
Aug 5, 2022
Reviewers: Mickael Maison <mickael.maison@gmail.com>, Aaron Freeland <afreeland@gmail.com>
mimaison
pushed a commit
that referenced
this pull request
Aug 5, 2022
Reviewers: Mickael Maison <mickael.maison@gmail.com>, Aaron Freeland <afreeland@gmail.com>
mimaison
pushed a commit
that referenced
this pull request
Aug 5, 2022
Reviewers: Mickael Maison <mickael.maison@gmail.com>, Aaron Freeland <afreeland@gmail.com>
mimaison
pushed a commit
that referenced
this pull request
Aug 5, 2022
Reviewers: Mickael Maison <mickael.maison@gmail.com>, Aaron Freeland <afreeland@gmail.com>
Member
|
Backported to 3.3, 3.2, 3.1, 3.0 and 2.8. |
ijuma
added a commit
to confluentinc/kafka
that referenced
this pull request
Aug 10, 2022
…(10 August 2022) Trivial conflict in gradle/dependencies.gradle due to the newer Netty version in confluentinc/kafka. * apache-github/trunk: MINOR: Upgrade gradle to 7.5.1 and bump other build/test dependencies (apache#12495) KAFKA-14140: Ensure an offline or in-controlled-shutdown replica is not eligible to join ISR in ZK mode (apache#12487) KAFKA-14114: Add Metadata Error Related Metrics MINOR: BrokerMetadataSnapshotter must avoid exceeding batch size (apache#12486) MINOR: Upgrade mockito test dependencies (apache#12460) KAFKA-14144:; Compare AlterPartition LeaderAndIsr before fencing partition epoch (apache#12489) KAFKA-14134: Replace EasyMock with Mockito for WorkerConnectorTest (apache#12472) MINOR: Update scala version in bin scripts to 2.13.8 (apache#12477) KAFKA-14104; Add CRC validation when iterating over Metadata Log Records (apache#12457) MINOR: add :server-common test dependency to :storage (apache#12488) KAFKA-14107: Upgrade Jetty version for CVE fixes (apache#12440) KAFKA-14124: improve quorum controller fault handling (apache#12447)
ijuma
added a commit
to franz1981/kafka
that referenced
this pull request
Aug 12, 2022
* apache-github/trunk: (447 commits) KAFKA-13959: Controller should unfence Broker with busy metadata log (apache#12274) KAFKA-10199: Expose read only task from state updater (apache#12497) KAFKA-14154; Return NOT_CONTROLLER from AlterPartition if leader is ahead of controller (apache#12506) KAFKA-13986; Brokers should include node.id in fetches to metadata quorum (apache#12498) KAFKA-14163; Retry compilation after zinc compile cache error (apache#12507) Remove duplicate common.message.* from clients:test jar file (apache#12407) KAFKA-13060: Replace EasyMock and PowerMock with Mockito in WorkerGroupMemberTest.java (apache#12484) Fix the rate window size calculation for edge cases (apache#12184) MINOR: Upgrade gradle to 7.5.1 and bump other build/test dependencies (apache#12495) KAFKA-14140: Ensure an offline or in-controlled-shutdown replica is not eligible to join ISR in ZK mode (apache#12487) KAFKA-14114: Add Metadata Error Related Metrics MINOR: BrokerMetadataSnapshotter must avoid exceeding batch size (apache#12486) MINOR: Upgrade mockito test dependencies (apache#12460) KAFKA-14144:; Compare AlterPartition LeaderAndIsr before fencing partition epoch (apache#12489) KAFKA-14134: Replace EasyMock with Mockito for WorkerConnectorTest (apache#12472) MINOR: Update scala version in bin scripts to 2.13.8 (apache#12477) KAFKA-14104; Add CRC validation when iterating over Metadata Log Records (apache#12457) MINOR: add :server-common test dependency to :storage (apache#12488) KAFKA-14107: Upgrade Jetty version for CVE fixes (apache#12440) KAFKA-14124: improve quorum controller fault handling (apache#12447) ...
fmin
added a commit
to confluentinc/kafka
that referenced
this pull request
Sep 14, 2022
…2022 * apache-kafka/2.8: MINOR: Update 2.8 branch version to 2.8.3-SNAPSHOT MINOR: Update NOTICE file MINOR: Update version to 2.8.2 MINOR: Bump version in upgrade guide to 2.8.2 MINOR: Update LICENSE for 2.8.2 MINOR: Disable kraft system tests in 2.8 branch MINOR: Add configurable max receive size for SASL authentication requests MINOR: Add more validation during KRPC deserialization KAFKA-14107: Upgrade Jetty version for CVE fixes (apache#12440)
fmin
added a commit
to confluentinc/kafka
that referenced
this pull request
Sep 14, 2022
…1-14-SEP-2022 * apache-kafka/3.1: (17 commits) MINOR: Update 3.1 branch version to 3.1.3-SNAPSHOT Upgrade Netty and Jackson versions for CVE fixes [KAFKA-14044] (apache#12376) Bump version to 3.1.2 MINOR: Update LICENSE-binary MINOR: Bump version in upgrade guide to 3.1.2 MINOR: Add configurable max receive size for SASL authentication requests MINOR: Add more validation during KRPC deserialization MINOR: Add note on IDEMPOTENT_WRITE ACL to notable changes (apache#12260) KAFKA-14107: Upgrade Jetty version for CVE fixes (apache#12440) KAFKA-14062: OAuth client token refresh fails with SASL extensions (apache#12398) ...
|
Hi, is this the fix for CVE-2022-34917 as well? |
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
KAFKA-14107 Upgrade Jetty for CVE fixes.
Jetty: CVE-2022-2048
and CVE-2022-2047
Signed-off-by: Andrew Borley BORLEY@uk.ibm.com