[KAFKA-13048] Update vulnerable dependencies in 2.8.0 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Duplicate
Affects Version/s: 2.8.0
Fix Version/s: None
Component/s: connect, core
Labels:
- security

Description

*Describe the bug*
I checked kafka_2.13-2.8.0.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities.
Here they are:

jetty-http-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-http:9.4.41.v20210516
jetty-server-9.4.40.v20210413.jar has CVE-2021-28169 and CVE-2021-34428 vulnerabilities. The way to fix it is to upgrade to org.eclipse.jetty:jetty-server:9.4.41.v20210516
jetty-servlets-9.4.40.v20210413.jar has CVE-2021-28169 vulnerability. The way to fix it is to upgrade to org.eclipse.jetty:jetty-servlets:9.4.41.v20210516

*To Reproduce*
Download kafka_2.13-2.8.0.tgz and find jars, listed above.
Check that these jars with corresponding versions are mentioned in corresponding vulnerability description.

*Expected behavior*

jetty-http upgraded to 9.4.41.v20210516 or higher
jetty-server upgraded to 9.4.41.v20210516 or higher
jetty-servlets upgraded to 9.4.41.v20210516 or higher

*Actual behaviour*

jetty-http is 9.4.40.v20210413
jetty-server is 9.4.40.v20210413
jetty-servlets is 9.4.40.v20210413

Attachments

Issue Links

duplicates

KAFKA-12985 CVE-2021-28169 - Upgrade jetty to 9.4.42

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: Pavel Kuznetsov

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 08/Jul/21 11:23

Updated:: 08/Jul/21 12:19

Resolved:: 08/Jul/21 12:19