Hi, I am not exactly thrilled by the False positive statement. This always leads to a difficult discussion with customers.
Is there a chance of releasing a version of the connector to just add support for Kafka 3.4.0, in conjunction with Flink 1.18 ? Kind regards Jean-Marc ________________________________ From: Martijn Visser <[email protected]> Sent: Thursday, November 9, 2023 13:51 To: [email protected] <[email protected]>; Mason Chen <[email protected]> Subject: [EXTERNAL] Re: Request a release of flink-connector-kafka version 3.1.0 (to consume kafka 3.4.0 with Flink 1.18) Hi, The CVE is related to the Kafka Connect API and I think of that as a false-positive for the Flink Kafka connector. I would be inclined to preferably get https://issues.apache.org/jira/browse/FLINK-32197 in, and then do a release afterwards. But I would like to understand from Mason if he thinks that's feasible. Best regards, Martijn On Tue, Nov 7, 2023 at 9:45 AM Jean-Marc Paulin <[email protected]> wrote: > > Hi, > > I had a chat on [FLINK-31599] Update kafka version to 3.4.0 by Gerrrr · Pull > Request #11 · apache/flink-connector-kafka > (github.com)<https://github.com/apache/flink-connector-kafka/pull/11 > . > > We are consuming Flink 1.18, and the flink-connector-kafka 3.0.1. > Flink 3.2.3 currently in use has the > CVE-2023-25194<https://www.mend.io/vulnerability-database/disclosure-policy/?query=CVE-2023-25194 > > vulnerability addressed in Kafka 3.4.0. We will need to move to Kafka > 3.4.0 for our customers. I have tried to consume Kafka client 3.4.0 but that > fails after a while. I tracked that down to a change required in the > flink-connector-kafka source code. The PR11 above has the required changes, > and is merge in main, but is not currently released. > > I would really appreciate if you could release a newer version of the > flink-connector-kafka that would enable us to use Kafka 3.4.0. > > Many thanks > > JM > > [https://opengraph.githubassets.com/54669eeddff74373a431b6540c3602aefd5fb25232da040f59d9dbb1254615c6/apache/flink-connector-kafka/pull/11 > ]<https://github.com/apache/flink-connector-kafka/pull/11 > > [FLINK-31599] Update kafka version to 3.4.0 by Gerrrr · Pull Request #11 · > apache/flink-connector-kafka<https://github.com/apache/flink-connector-kafka/pull/11 > > > Apache flink. Contribute to apache/flink-connector-kafka development by > creating an account on GitHub. > github.com > > Unless otherwise stated above: > > IBM United Kingdom Limited > Registered in England and Wales with number 741598 > Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU Unless otherwise stated above: IBM United Kingdom Limited Registered in England and Wales with number 741598 Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU
