Skip to content

Upgrade to Kafka 3.4.0 #34284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wilkinsona opened this issue Feb 20, 2023 · 5 comments
Closed

Upgrade to Kafka 3.4.0 #34284

wilkinsona opened this issue Feb 20, 2023 · 5 comments
Labels
type: dependency-upgrade A dependency upgrade
Milestone
3.1.0-M1

Comments

@wilkinsona
Copy link
Member

No description provided.

@wilkinsona wilkinsona added the type: dependency-upgrade A dependency upgrade label Feb 20, 2023
@wilkinsona wilkinsona added this to the 3.1.0-M1 milestone Feb 20, 2023
@chenrujun chenrujun mentioned this issue Mar 7, 2023
Closed
6 tasks
@chenrujun
Copy link
Contributor

I think it's necessary for Spring Boot 2.x in 2.7.x branch to fix CVE-2023-25194.

@wilkinsona
Copy link
Member Author

wilkinsona commented Mar 7, 2023
edited
Loading

As described in our policy for managing third-party dependencies, we won't upgrade to a new minor release of a dependency in a maintenance release of Spring Boot.

Additionally, I think this CVE is a false-positive in the context of a Spring Boot application. Its description describes it as a server-side vulnerability:

This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.

@chenrujun
Copy link
Contributor

@wilkinsona
I got it. Thank you for your information.

(cc: @stliu, FYI.)

@wilkinsona wilkinsona mentioned this issue Mar 10, 2023
Closed
@chenrujun chenrujun mentioned this issue Mar 13, 2023
Closed
@sheetalj2205
Copy link

But this is giving me error of org.springframework.beans.factory.BeanCreationException Invocation of init method failed; nested exception is java.lang.NoSuchMethodError: kafka.utils.TestUtils.boundPort(Lkafka/server/KafkaServer;Lorg/apache/kafka/common/security/auth/SecurityProtocol;)I

I am using gradle version - 6.8.1
spring-boot - 2.7.10
testImplementation "org.springframework.kafka:spring-kafka-test:2.6.5"

@wilkinsona
Copy link
Member Author

@sheetalj2205 This upgrade only applied to Spring Boot 3.1.0-M1. As you are using 2.7.10 you are not affected by it. You should using Spring Kafka 2.8.x not 2.6.x with Spring Boot 2.7.x. You can find all the default versions listed in the documentation.

If you have any further questions, please follow up on Stack Overflow or Gitter. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
3.1.0-M1
Development

No branches or pull requests
3 participants
@wilkinsona @chenrujun @sheetalj2205