Hi PoAn and others, I see that version 4.2.1 contains a few CVEs-related version bumps: https://issues.apache.org/jira/issues/?jql=project%20%3D%20KAFKA%20AND%20fixVersion%20%3D%204.2.1, so you could opt to squeeze this bouncycastle version upgrade also: https://github.com/apache/kafka/pull/22194 (note: already merged into trunk).
Regards, Dejan On Wed, May 6, 2026 at 2:31 PM PoAn Yang <[email protected]> wrote: > Hi José, > > We have not received any binding +1 votes yet. If these need to be > included in 4.2.x eventually, > I can roll a new RC after you backport KAFKA-20380. > > Thanks, > PoAn > > > On May 6, 2026, at 7:03 PM, José Armando García Sancio via dev < > [email protected]> wrote: > > > > Hi PoAn, > > > > I just cherry picked the fix for KAFKA-19851 to the 4.2 branch. I see > > that you are in the middle of releasing 4.2.1. We don't need to > > include it in the 4.2.1 release but I will create an unreleased > > version in Jira for 4.2.2. > > > > Soon, I will do the same for KAFKA-20380. > > > > Is that okay? > > > > Thanks, > > -- > > -José > >
