[KAFKA-13518] Update gson dependency - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0
Fix Version/s: 3.4.0
Component/s: core
Labels:
- security

Description

Describe the bug
I checked kafka_2.13-3.0.0.tgz distribution with WhiteSource and find out that some libraries have vulnerabilities.
Here they are:

gson-2.8.6.jar has WS-2021-0419 vulnerability. The way to fix it is to upgrade to com.google.code.gson:gson:2.8.9
netty-codec-4.1.65.Final.jar has CVE-2021-37136 and CVE-2021-37137 vulnerabilities. The way to fix it is to upgrade to io.netty:netty-codec:4.1.68.Final

To Reproduce
Download kafka_2.13-3.0.0.tgz and find jars, listed above.
Check that these jars with corresponding versions are mentioned in corresponding vulnerability description.

Expected behavior

gson upgraded to 2.8.9 or higher
netty-codec upgraded to 4.1.68.Final or higher

Actual behaviour

gson is 2.8.6
netty-codec is 4.1.65.Final

Attachments

Issue Links

links to

GitHub Pull Request #11579

Activity

People

Assignee:: Dongjin Lee

Reporter:: Pavel Kuznetsov

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Dec/21 10:13

Updated:: 24/Oct/22 17:44

Resolved:: 24/Oct/22 17:44