gaurav-narula commented on PR #21395: URL: https://github.com/apache/kafka/pull/21395#issuecomment-3850219233
> @gaurav-narula thanks for the verification. I'm wondering whether it is the same issue, since PRs mentioned by the CVE is unrelated to 2.39.1 I'm fairly certain it's the same issue as the PoC is asserting the same CVE and it's reproducible in 2.39.1. Here's the trail I could find: * The bug was reported with https://github.com/eclipse-ee4j/jersey/issues/5358 * Fixed in 2.41 with https://github.com/eclipse-ee4j/jersey/pull/5359 * The above introduced a perf regression as commented [here](https://github.com/eclipse-ee4j/jersey/pull/5359#issuecomment-2328322810) and explained [here](https://github.com/eclipse-ee4j/jersey/issues/5738) * Initial attempt to fix with https://github.com/eclipse-ee4j/jersey/pull/5749 which had shortcomings * Final fix which fixes both the race and the perf regression with https://github.com/eclipse-ee4j/jersey/pull/5794 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
