RE: Fix for CVEs

2024-04-02 Thread Sahil Sharma D 
Hi Team,

Any update regarding for below CVEs, when these can be fixed?
> CVE-2022-42003
>
> CVE-2022-42004

Regards,
Sahil

-Original Message-
From: Josep Prat  
Sent: Thursday, December 7, 2023 3:08 PM
To: users@kafka.apache.org
Subject: Re: Fix for CVEs

Hi Sahil,

Regarding CVE-2023-31582 it affects jose4j versions prior to 0.9.3 (not 
included). Apache Kafka has been using jose4j version 0.9.3 for a while now, it 
was introduced in this commit[1] on May 13.
Since Kafka 3.4.1 all versions have been shipped with jose4j 0.9.3. Please note 
that NVE's CVE page[2] states that this affects "Up to (excluding):
0.9.3". Also, jose4j release notes[3] specify that this specific vulnerability 
was fixed on 0.9.3.

How did you detect that Kafka was affected by CVE-2023-31582?

Best,

[1]:
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-b5c59152cc7ce255=1=cf912bd9-c285-46b5-8dd3-1128f357b943=https%3A%2F%2Fgithub.com%2Fapache%2Fkafka%2Fcommit%2Ffa7818dff5a28048401654a7497e56dbc988b755
[2]: https://nvd.nist.gov/vuln/detail/CVE-2023-31582#range-9713327
[3]: 
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-20812dac4e721e52=1=cf912bd9-c285-46b5-8dd3-1128f357b943=https%3A%2F%2Fbitbucket.org%2Fb_c%2Fjose4j%2Fwiki%2FRelease%2520Notes

On Thu, Dec 7, 2023 at 10:00 AM Sahil Sharma D 
 wrote:

> Hi team,
>
> There are another vulnerability we detected, can you please share 
> Kafka is planning to fix this vulnerability:
> CVE-2023-31582
> GHSA-jgvc-jfgh-rjvv
>
> Regards,
> Sahil
> From: Sahil Sharma D
> Sent: 17 October 2023 02:45 PM
> To: 'users@kafka.apache.org' 
> Subject: RE: Fix for CVEs
>
> Hi Team,
>
> There is another vulnerability we detected CVE-2023-4586, can you 
> please share Kafka is planning to fix this vulnerability and CVEs 
> mentioned in mail trail
>
> Regards,
> Sahil
>
> From: Sahil Sharma D
> Sent: 14 September 2023 05:51 PM
> To: 'users@kafka.apache.org'  users@kafka.apache.org>>
> Subject: Fix for CVEs
>
> Hi Team,
>
> As suggested earlier I tried to reach "secur...@apache.org secur...@apache.org>" , this address is meant for coordinating 
> still-undisclosed potential vulnerabilities only.
>
> Can you please share the release plan for below mentioned CVEs:
>
> CVE-2023-34454
>
> CVE-2023-34453
>
> CVE-2022-42003
>
> CVE-2022-42004
>
> CVE-2023-34462
>
> CVE-2023-35116
>
> Regards,
> Sahil
>


--
[image: Aiven] 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c=1=cf912bd9-c285-46b5-8dd3-1128f357b943=https%3A%2F%2Fwww.aiven.io%2F>

*Josep Prat*
Open Source Engineering Director, *Aiven*
josep.p...@aiven.io   |   +491715557497
aiven.io 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c=1=cf912bd9-c285-46b5-8dd3-1128f357b943=https%3A%2F%2Fwww.aiven.io%2F>
   |   
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-83e1421cb9381159=1=cf912bd9-c285-46b5-8dd3-1128f357b943=https%3A%2F%2Fwww.facebook.com%2Faivencloud>
  
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-47703186230bc4bd=1=cf912bd9-c285-46b5-8dd3-1128f357b943=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Faiven%2F>
   <https://twitter.com/aiven_io>
*Aiven Deutschland GmbH*
Alexanderufer 3-7, 10117 Berlin
Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht Charlottenburg, 
HRB 209739 B

Re: Fix for CVEs

2023-12-07 Thread Josep Prat 
Hi Sahil,

Regarding CVE-2023-31582 it affects jose4j versions prior to 0.9.3 (not
included). Apache Kafka has been using jose4j version 0.9.3 for a while
now, it was introduced in this commit[1] on May 13.
Since Kafka 3.4.1 all versions have been shipped with jose4j 0.9.3. Please
note that NVE's CVE page[2] states that this affects "Up to (excluding):
0.9.3". Also, jose4j release notes[3] specify that this specific
vulnerability was fixed on 0.9.3.

How did you detect that Kafka was affected by CVE-2023-31582?

Best,

[1]:
https://github.com/apache/kafka/commit/fa7818dff5a28048401654a7497e56dbc988b755
[2]: https://nvd.nist.gov/vuln/detail/CVE-2023-31582#range-9713327
[3]: https://bitbucket.org/b_c/jose4j/wiki/Release%20Notes

On Thu, Dec 7, 2023 at 10:00 AM Sahil Sharma D
 wrote:

> Hi team,
>
> There are another vulnerability we detected, can you please share Kafka is
> planning to fix this vulnerability:
> CVE-2023-31582
> GHSA-jgvc-jfgh-rjvv
>
> Regards,
> Sahil
> From: Sahil Sharma D
> Sent: 17 October 2023 02:45 PM
> To: 'users@kafka.apache.org' 
> Subject: RE: Fix for CVEs
>
> Hi Team,
>
> There is another vulnerability we detected CVE-2023-4586, can you please
> share Kafka is planning to fix this vulnerability and CVEs mentioned in
> mail trail
>
> Regards,
> Sahil
>
> From: Sahil Sharma D
> Sent: 14 September 2023 05:51 PM
> To: 'users@kafka.apache.org'  users@kafka.apache.org>>
> Subject: Fix for CVEs
>
> Hi Team,
>
> As suggested earlier I tried to reach "secur...@apache.org secur...@apache.org>" , this address is meant for coordinating
> still-undisclosed potential vulnerabilities only.
>
> Can you please share the release plan for below mentioned CVEs:
>
> CVE-2023-34454
>
> CVE-2023-34453
>
> CVE-2022-42003
>
> CVE-2022-42004
>
> CVE-2023-34462
>
> CVE-2023-35116
>
> Regards,
> Sahil
>


-- 
[image: Aiven] <https://www.aiven.io>

*Josep Prat*
Open Source Engineering Director, *Aiven*
josep.p...@aiven.io   |   +491715557497
aiven.io <https://www.aiven.io>   |   <https://www.facebook.com/aivencloud>
  <https://www.linkedin.com/company/aiven/>   <https://twitter.com/aiven_io>
*Aiven Deutschland GmbH*
Alexanderufer 3-7, 10117 Berlin
Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen
Amtsgericht Charlottenburg, HRB 209739 B

RE: Fix for CVEs

2023-12-07 Thread Sahil Sharma D 
Hi team,

There are another vulnerability we detected, can you please share Kafka is 
planning to fix this vulnerability:
CVE-2023-31582
GHSA-jgvc-jfgh-rjvv

Regards,
Sahil
From: Sahil Sharma D
Sent: 17 October 2023 02:45 PM
To: 'users@kafka.apache.org' 
Subject: RE: Fix for CVEs

Hi Team,

There is another vulnerability we detected CVE-2023-4586, can you please share 
Kafka is planning to fix this vulnerability and CVEs mentioned in mail trail

Regards,
Sahil

From: Sahil Sharma D
Sent: 14 September 2023 05:51 PM
To: 'users@kafka.apache.org' 
mailto:users@kafka.apache.org>>
Subject: Fix for CVEs

Hi Team,

As suggested earlier I tried to reach 
"secur...@apache.org<mailto:secur...@apache.org>" , this address is meant for 
coordinating still-undisclosed potential vulnerabilities only.

Can you please share the release plan for below mentioned CVEs:

CVE-2023-34454

CVE-2023-34453

CVE-2022-42003

CVE-2022-42004

CVE-2023-34462

CVE-2023-35116

Regards,
Sahil

RE: Fix for CVEs

2023-10-18 Thread miltan 
Hi Team,
 
Greetings,
 
Apologies for the delay in reply as I was down with flu.
 
We actually reached out to you for IT/ SAP/ Oracle/ Infor / Microsoft "VOTEC
IT SERVICE PARTNERSHIP"  "IT SERVICE OUTSOURCING" " "PARTNER SERVICE
SUBCONTRACTING"
 
We have very attractive newly introduce reasonably price PARTNER IT SERVICE
ODC SUBCONTRACTING MODEL in USA, Philippines, India and Singapore etc with
White Label Model.
 
Our LOW COST IT SERVICE ODC MODEL eliminate the cost of expensive employee
payroll, Help partner to get profit more than 50% on each project.. ..We
really mean it.
 
We are already working with platinum partner like NTT DATA, NEC Singapore,
Deloitte, Hitachi consulting. ACCENTURE, Abeam Singapore etc.
 
Are u keen to understand VOTEC IT SERVICE MODEL PARTNERSHIP offerings?
 
Let us know your availability this week OR Next week?? We can arrange
discussion with Partner Manager.


-Original Message-
From: Sahil Sharma D [mailto:sahil.d.sha...@ericsson.com.INVALID] 
Sent: 17 October 2023 14:45
To: users@kafka.apache.org
Subject: RE: Fix for CVEs 

Hi Team,

There is another vulnerability we detected CVE-2023-4586, can you please
share Kafka is planning to fix this vulnerability and CVEs mentioned in mail
trail

Regards,
Sahil

From: Sahil Sharma D
Sent: 14 September 2023 05:51 PM
To: 'users@kafka.apache.org' 
Subject: Fix for CVEs

Hi Team,

As suggested earlier I tried to reach
"secur...@apache.org<mailto:secur...@apache.org>" , this address is meant
for coordinating still-undisclosed potential vulnerabilities only.

Can you please share the release plan for below mentioned CVEs:

CVE-2023-34454

CVE-2023-34453

CVE-2022-42003

CVE-2022-42004

CVE-2023-34462

CVE-2023-35116

Regards,
Sahil

RE: Fix for CVEs

2023-10-17 Thread Sahil Sharma D 
Hi Team,

There is another vulnerability we detected CVE-2023-4586, can you please share 
Kafka is planning to fix this vulnerability and CVEs mentioned in mail trail

Regards,
Sahil

From: Sahil Sharma D
Sent: 14 September 2023 05:51 PM
To: 'users@kafka.apache.org' 
Subject: Fix for CVEs

Hi Team,

As suggested earlier I tried to reach 
"secur...@apache.org" , this address is meant for 
coordinating still-undisclosed potential vulnerabilities only.

Can you please share the release plan for below mentioned CVEs:

CVE-2023-34454

CVE-2023-34453

CVE-2022-42003

CVE-2022-42004

CVE-2023-34462

CVE-2023-35116

Regards,
Sahil