Re: Guava version upgrade

[jiahaozhouwh]

On 2019/03/15 16:44:32, "Colin McCabe"  wrote: 
> Hi JIAHAO,
> 
> Kafka does not use Guava.
> 
> Some of the packages Kafka Connect depend on use Guava.  Perhaps the right 
> thing to do is track down those projects and see how they are using Guava (if 
> they are vulnerable to the CVE).
> 
> best,
> Colin
> 
> 
> On Mon, Mar 4, 2019, at 15:52, JIAHAO ZHOU wrote:
> > Hello,
> > when downloading Kafka 2.1.1, the  kafka_2.12-2.1.1.tgz still contains
> > guava-20.0.jar. This guava version currently has a vulnerability
> > described here: https://github.com/google/guava/wiki/CVE-2018-10237
> > The version 24.1.1 and 25.0+ are fixed version.
> > Are there any plans to upgrade this dependency?
> > 
> > Regards
> > Jiahao Zhou
> >
> Thanks Colin

Re: Guava version upgrade

[Colin McCabe]

Hi JIAHAO,

Kafka does not use Guava.

Some of the packages Kafka Connect depend on use Guava.  Perhaps the right 
thing to do is track down those projects and see how they are using Guava (if 
they are vulnerable to the CVE).

best,
Colin


On Mon, Mar 4, 2019, at 15:52, JIAHAO ZHOU wrote:
> Hello,
> when downloading Kafka 2.1.1, the  kafka_2.12-2.1.1.tgz still contains
> guava-20.0.jar. This guava version currently has a vulnerability
> described here: https://github.com/google/guava/wiki/CVE-2018-10237
> The version 24.1.1 and 25.0+ are fixed version.
> Are there any plans to upgrade this dependency?
> 
> Regards
> Jiahao Zhou
>