Re: Release plan required for version 3.5.1

[Bruno Cadonna]

Hi Sahil,

Please have a look at the dependencies for Kafka 3.5.1:
https://github.com/apache/kafka/blob/3.5.1/gradle/dependencies.gradle

and compare it with your list of CVEs.

Please also have a look here: https://kafka.apache.org/project-security

If you discover a security issue please follow the instructions on that 
page and engage to resolve the security issue.


Best,
Bruno

On 7/26/23 6:20 AM, Sahil Sharma D wrote:

Hi Kamal,

Shall we consider CVEs mentioned in mail trail are fixed in v3.5.1?

We are unable to find the CVEs in Jira as suggested earlier.

Regards,
Sahil

-Original Message-
From: Kamal Chandraprakash 
Sent: 26 July 2023 09:42 AM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1

Hi Sahil,

Apache Kafka 3.5.1 is already released: https://kafka.apache.org/downloads

On Wed, Jul 26, 2023 at 9:08 AM Sahil Sharma D 
 wrote:


Gentle reminder-2

-Original Message-
From: Sahil Sharma D
Sent: 12 July 2023 09:51 AM
To: users@kafka.apache.org
Subject: RE: Release plan required for version 3.5.1

Gentle reminder!

-Original Message-
From: Sahil Sharma D
Sent: 03 July 2023 04:39 PM
To: users@kafka.apache.org
Subject: RE: Release plan required for version 3.5.1

Hi,

That means below vulnerabilities are not appliable for kafka, right?
CVE-2022-42003
CVE-2022-42004
CVE-2023-34454
CVE-2023-34453
CVE-2023-35116

Regards,
Sahil

-Original Message-
From: Josep Prat 
Sent: 03 July 2023 02:02 PM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1

Hi Sahil,
Thanks for caring about Apache Kafka's security. One can fix this
situation by replacing the affected jar file with the one containing
the fix for the vulnerabilities. We plan to add a write up under
Apache Kafka's CVE page.
Mind that Apache Kafka  doesn't typically do emergency releases for
CVEs discovered in their dependencies unless affectation in Kafka
itself is major.

That being said, if you take a look at the `dev` mailing list, you'll
see that a maintainer already volunteered to be the release manager for 3.5.1:
https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
If you want to be up-to-date with the release plan of 3.5.1 (contents,
estimated timings and such) please check the `dev` mailing list as
this information is usually shared there. The `user` mailing list
usually gets notified when release candidates or new versions are created.

Best,

On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D

wrote:


Gentle reminder!

From: Sahil Sharma D
Sent: 26 June 2023 08:18 PM
To: users@kafka.apache.org
Subject: Release plan required for version 3.5.1
Importance: High

Hi Team,

There is an vulnerability on snappy-java-1.1.8.4.jar, are we
impacted due to this if we are using only client jar and kafka server.

Below are the vulnerabilities that still open and we unable to find
any detail of these CVEs on jira. In which version these CVEs are
planned to be resolved?
CVE-2022-42003
CVE-2022-42004
CVE-2023-34454
CVE-2023-34453
CVE-2023-35116

Kindly share the release plan for version 3.5.1.

Regards,
Sahil




--
[image: Aiven] <
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
https%3A%2F%2Fwww.aiven.io%2F




*Josep Prat*
Open Source Engineering Director, *Aiven*
josep.p...@aiven.io   |   +491715557497
aiven.io <
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
  |   <
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
https%3A%2F%2Fwww.facebook.com%2Faivencloud



   <https://www.linkedin.com/company/aiven/>   <
https://twitter.com/aiven_io>
*Aiven Deutschland GmbH*
Alexanderufer 3-7, 10117 Berlin
Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht
Charlottenburg, HRB 209739 B

RE: Release plan required for version 3.5.1

[Sahil Sharma D]

Hi Kamal,

Shall we consider CVEs mentioned in mail trail are fixed in v3.5.1?

We are unable to find the CVEs in Jira as suggested earlier.

Regards,
Sahil

-Original Message-
From: Kamal Chandraprakash  
Sent: 26 July 2023 09:42 AM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1

Hi Sahil,

Apache Kafka 3.5.1 is already released: https://kafka.apache.org/downloads

On Wed, Jul 26, 2023 at 9:08 AM Sahil Sharma D 
 wrote:

> Gentle reminder-2
>
> -Original Message-
> From: Sahil Sharma D
> Sent: 12 July 2023 09:51 AM
> To: users@kafka.apache.org
> Subject: RE: Release plan required for version 3.5.1
>
> Gentle reminder!
>
> -Original Message-
> From: Sahil Sharma D
> Sent: 03 July 2023 04:39 PM
> To: users@kafka.apache.org
> Subject: RE: Release plan required for version 3.5.1
>
> Hi,
>
> That means below vulnerabilities are not appliable for kafka, right?
> CVE-2022-42003
> CVE-2022-42004
> CVE-2023-34454
> CVE-2023-34453
> CVE-2023-35116
>
> Regards,
> Sahil
>
> -Original Message-
> From: Josep Prat 
> Sent: 03 July 2023 02:02 PM
> To: users@kafka.apache.org
> Subject: Re: Release plan required for version 3.5.1
>
> Hi Sahil,
> Thanks for caring about Apache Kafka's security. One can fix this 
> situation by replacing the affected jar file with the one containing 
> the fix for the vulnerabilities. We plan to add a write up under 
> Apache Kafka's CVE page.
> Mind that Apache Kafka  doesn't typically do emergency releases for 
> CVEs discovered in their dependencies unless affectation in Kafka 
> itself is major.
>
> That being said, if you take a look at the `dev` mailing list, you'll 
> see that a maintainer already volunteered to be the release manager for 3.5.1:
> https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
> If you want to be up-to-date with the release plan of 3.5.1 (contents, 
> estimated timings and such) please check the `dev` mailing list as 
> this information is usually shared there. The `user` mailing list 
> usually gets notified when release candidates or new versions are created.
>
> Best,
>
> On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D 
> 
> wrote:
>
> > Gentle reminder!
> >
> > From: Sahil Sharma D
> > Sent: 26 June 2023 08:18 PM
> > To: users@kafka.apache.org
> > Subject: Release plan required for version 3.5.1
> > Importance: High
> >
> > Hi Team,
> >
> > There is an vulnerability on snappy-java-1.1.8.4.jar, are we 
> > impacted due to this if we are using only client jar and kafka server.
> >
> > Below are the vulnerabilities that still open and we unable to find 
> > any detail of these CVEs on jira. In which version these CVEs are 
> > planned to be resolved?
> > CVE-2022-42003
> > CVE-2022-42004
> > CVE-2023-34454
> > CVE-2023-34453
> > CVE-2023-35116
> >
> > Kindly share the release plan for version 3.5.1.
> >
> > Regards,
> > Sahil
> >
>
>
> --
> [image: Aiven] <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
> 731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
> https%3A%2F%2Fwww.aiven.io%2F
> >
>
> *Josep Prat*
> Open Source Engineering Director, *Aiven*
> josep.p...@aiven.io   |   +491715557497
> aiven.io <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
>  |   <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
> 731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=
> https%3A%2F%2Fwww.facebook.com%2Faivencloud
> >
>   <https://www.linkedin.com/company/aiven/>   <
> https://twitter.com/aiven_io>
> *Aiven Deutschland GmbH*
> Alexanderufer 3-7, 10117 Berlin
> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht 
> Charlottenburg, HRB 209739 B
>
>

Re: Release plan required for version 3.5.1

[Kamal Chandraprakash]

Hi Sahil,

Apache Kafka 3.5.1 is already released: https://kafka.apache.org/downloads

On Wed, Jul 26, 2023 at 9:08 AM Sahil Sharma D
 wrote:

> Gentle reminder-2
>
> -Original Message-
> From: Sahil Sharma D
> Sent: 12 July 2023 09:51 AM
> To: users@kafka.apache.org
> Subject: RE: Release plan required for version 3.5.1
>
> Gentle reminder!
>
> -Original Message-
> From: Sahil Sharma D
> Sent: 03 July 2023 04:39 PM
> To: users@kafka.apache.org
> Subject: RE: Release plan required for version 3.5.1
>
> Hi,
>
> That means below vulnerabilities are not appliable for kafka, right?
> CVE-2022-42003
> CVE-2022-42004
> CVE-2023-34454
> CVE-2023-34453
> CVE-2023-35116
>
> Regards,
> Sahil
>
> -Original Message-
> From: Josep Prat 
> Sent: 03 July 2023 02:02 PM
> To: users@kafka.apache.org
> Subject: Re: Release plan required for version 3.5.1
>
> Hi Sahil,
> Thanks for caring about Apache Kafka's security. One can fix this
> situation by replacing the affected jar file with the one containing the
> fix for the vulnerabilities. We plan to add a write up under Apache Kafka's
> CVE page.
> Mind that Apache Kafka  doesn't typically do emergency releases for CVEs
> discovered in their dependencies unless affectation in Kafka itself is
> major.
>
> That being said, if you take a look at the `dev` mailing list, you'll see
> that a maintainer already volunteered to be the release manager for 3.5.1:
> https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
> If you want to be up-to-date with the release plan of 3.5.1 (contents,
> estimated timings and such) please check the `dev` mailing list as this
> information is usually shared there. The `user` mailing list usually gets
> notified when release candidates or new versions are created.
>
> Best,
>
> On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D 
> 
> wrote:
>
> > Gentle reminder!
> >
> > From: Sahil Sharma D
> > Sent: 26 June 2023 08:18 PM
> > To: users@kafka.apache.org
> > Subject: Release plan required for version 3.5.1
> > Importance: High
> >
> > Hi Team,
> >
> > There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted
> > due to this if we are using only client jar and kafka server.
> >
> > Below are the vulnerabilities that still open and we unable to find
> > any detail of these CVEs on jira. In which version these CVEs are
> > planned to be resolved?
> > CVE-2022-42003
> > CVE-2022-42004
> > CVE-2023-34454
> > CVE-2023-34453
> > CVE-2023-35116
> >
> > Kindly share the release plan for version 3.5.1.
> >
> > Regards,
> > Sahil
> >
>
>
> --
> [image: Aiven] <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F
> >
>
> *Josep Prat*
> Open Source Engineering Director, *Aiven*
> josep.p...@aiven.io   |   +491715557497
> aiven.io <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
>  |   <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.facebook.com%2Faivencloud
> >
>   <https://www.linkedin.com/company/aiven/>   <
> https://twitter.com/aiven_io>
> *Aiven Deutschland GmbH*
> Alexanderufer 3-7, 10117 Berlin
> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht
> Charlottenburg, HRB 209739 B
>
>

RE: Release plan required for version 3.5.1

[Sahil Sharma D]

Gentle reminder-2

-Original Message-
From: Sahil Sharma D 
Sent: 12 July 2023 09:51 AM
To: users@kafka.apache.org
Subject: RE: Release plan required for version 3.5.1

Gentle reminder!

-Original Message-
From: Sahil Sharma D
Sent: 03 July 2023 04:39 PM
To: users@kafka.apache.org
Subject: RE: Release plan required for version 3.5.1

Hi,

That means below vulnerabilities are not appliable for kafka, right?
CVE-2022-42003
CVE-2022-42004
CVE-2023-34454
CVE-2023-34453
CVE-2023-35116

Regards,
Sahil

-Original Message-
From: Josep Prat 
Sent: 03 July 2023 02:02 PM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1

Hi Sahil,
Thanks for caring about Apache Kafka's security. One can fix this situation by 
replacing the affected jar file with the one containing the fix for the 
vulnerabilities. We plan to add a write up under Apache Kafka's CVE page.
Mind that Apache Kafka  doesn't typically do emergency releases for CVEs 
discovered in their dependencies unless affectation in Kafka itself is major.

That being said, if you take a look at the `dev` mailing list, you'll see that 
a maintainer already volunteered to be the release manager for 3.5.1:
https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
If you want to be up-to-date with the release plan of 3.5.1 (contents, 
estimated timings and such) please check the `dev` mailing list as this 
information is usually shared there. The `user` mailing list usually gets 
notified when release candidates or new versions are created.

Best,

On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D 
 wrote:

> Gentle reminder!
>
> From: Sahil Sharma D
> Sent: 26 June 2023 08:18 PM
> To: users@kafka.apache.org
> Subject: Release plan required for version 3.5.1
> Importance: High
>
> Hi Team,
>
> There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted 
> due to this if we are using only client jar and kafka server.
>
> Below are the vulnerabilities that still open and we unable to find 
> any detail of these CVEs on jira. In which version these CVEs are 
> planned to be resolved?
> CVE-2022-42003
> CVE-2022-42004
> CVE-2023-34454
> CVE-2023-34453
> CVE-2023-35116
>
> Kindly share the release plan for version 3.5.1.
>
> Regards,
> Sahil
>


--
[image: Aiven] 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>

*Josep Prat*
Open Source Engineering Director, *Aiven*
josep.p...@aiven.io   |   +491715557497
aiven.io 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
   |   
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.facebook.com%2Faivencloud>
  <https://www.linkedin.com/company/aiven/>   <https://twitter.com/aiven_io>
*Aiven Deutschland GmbH*
Alexanderufer 3-7, 10117 Berlin
Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht Charlottenburg, 
HRB 209739 B

Re: Release plan required for version 3.5.1

[Divij Vaidya]

Hi Sahil

We have an opportunity for you to help the community with this release
that you were interested in. The vote for the latest release candidate is
available - https://lists.apache.org/thread/jp82w4rw8l24gm5wh0fgnp5370pyq6s8

Please test the release candidate and provide your vote. Your contribution
here and in future release, would be greatly welcome. Let me know if you
have any questions.

--
Divij Vaidya



On Wed, Jul 12, 2023 at 12:16 PM Divij Vaidya 
wrote:

> Hey Sahil
>
> https://cwiki.apache.org/confluence/display/KAFKA/Release+plan+3.5.1 is
> the release plan. RC0 is currently available for voting.
>
> In future, I would encourage you to subscribe to devloper mailing list
> where updates regarding release planning are posted. You can see how to
> subscribe to it at https://kafka.apache.org/contact
>
> --
> Divij Vaidya
>
>
>
> On Wed, Jul 12, 2023 at 6:22 AM Sahil Sharma D
>  wrote:
>
>> Gentle reminder!
>>
>> -Original Message-
>> From: Sahil Sharma D
>> Sent: 03 July 2023 04:39 PM
>> To: users@kafka.apache.org
>> Subject: RE: Release plan required for version 3.5.1
>>
>> Hi,
>>
>> That means below vulnerabilities are not appliable for kafka, right?
>> CVE-2022-42003
>> CVE-2022-42004
>> CVE-2023-34454
>> CVE-2023-34453
>> CVE-2023-35116
>>
>> Regards,
>> Sahil
>>
>> -Original Message-
>> From: Josep Prat 
>> Sent: 03 July 2023 02:02 PM
>> To: users@kafka.apache.org
>> Subject: Re: Release plan required for version 3.5.1
>>
>> Hi Sahil,
>> Thanks for caring about Apache Kafka's security. One can fix this
>> situation by replacing the affected jar file with the one containing the
>> fix for the vulnerabilities. We plan to add a write up under Apache Kafka's
>> CVE page.
>> Mind that Apache Kafka  doesn't typically do emergency releases for CVEs
>> discovered in their dependencies unless affectation in Kafka itself is
>> major.
>>
>> That being said, if you take a look at the `dev` mailing list, you'll see
>> that a maintainer already volunteered to be the release manager for 3.5.1:
>> https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
>> If you want to be up-to-date with the release plan of 3.5.1 (contents,
>> estimated timings and such) please check the `dev` mailing list as this
>> information is usually shared there. The `user` mailing list usually gets
>> notified when release candidates or new versions are created.
>>
>> Best,
>>
>> On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D <
>> sahil.d.sha...@ericsson.com.invalid> wrote:
>>
>> > Gentle reminder!
>> >
>> > From: Sahil Sharma D
>> > Sent: 26 June 2023 08:18 PM
>> > To: users@kafka.apache.org
>> > Subject: Release plan required for version 3.5.1
>> > Importance: High
>> >
>> > Hi Team,
>> >
>> > There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted
>> > due to this if we are using only client jar and kafka server.
>> >
>> > Below are the vulnerabilities that still open and we unable to find
>> > any detail of these CVEs on jira. In which version these CVEs are
>> > planned to be resolved?
>> > CVE-2022-42003
>> > CVE-2022-42004
>> > CVE-2023-34454
>> > CVE-2023-34453
>> > CVE-2023-35116
>> >
>> > Kindly share the release plan for version 3.5.1.
>> >
>> > Regards,
>> > Sahil
>> >
>>
>>
>> --
>> [image: Aiven] <
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F
>> >
>>
>> *Josep Prat*
>> Open Source Engineering Director, *Aiven*
>> josep.p...@aiven.io   |   +491715557497
>> aiven.io <
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
>>  |   <
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.facebook.com%2Faivencloud
>> >
>>   <https://www.linkedin.com/company/aiven/>   <
>> https://twitter.com/aiven_io>
>> *Aiven Deutschland GmbH*
>> Alexanderufer 3-7, 10117 Berlin
>> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht
>> Charlottenburg, HRB 209739 B
>>
>>

Re: Release plan required for version 3.5.1

[Divij Vaidya]

Hey Sahil

https://cwiki.apache.org/confluence/display/KAFKA/Release+plan+3.5.1 is the
release plan. RC0 is currently available for voting.

In future, I would encourage you to subscribe to devloper mailing list
where updates regarding release planning are posted. You can see how to
subscribe to it at https://kafka.apache.org/contact

--
Divij Vaidya



On Wed, Jul 12, 2023 at 6:22 AM Sahil Sharma D
 wrote:

> Gentle reminder!
>
> -Original Message-
> From: Sahil Sharma D
> Sent: 03 July 2023 04:39 PM
> To: users@kafka.apache.org
> Subject: RE: Release plan required for version 3.5.1
>
> Hi,
>
> That means below vulnerabilities are not appliable for kafka, right?
> CVE-2022-42003
> CVE-2022-42004
> CVE-2023-34454
> CVE-2023-34453
> CVE-2023-35116
>
> Regards,
> Sahil
>
> -Original Message-
> From: Josep Prat 
> Sent: 03 July 2023 02:02 PM
> To: users@kafka.apache.org
> Subject: Re: Release plan required for version 3.5.1
>
> Hi Sahil,
> Thanks for caring about Apache Kafka's security. One can fix this
> situation by replacing the affected jar file with the one containing the
> fix for the vulnerabilities. We plan to add a write up under Apache Kafka's
> CVE page.
> Mind that Apache Kafka  doesn't typically do emergency releases for CVEs
> discovered in their dependencies unless affectation in Kafka itself is
> major.
>
> That being said, if you take a look at the `dev` mailing list, you'll see
> that a maintainer already volunteered to be the release manager for 3.5.1:
> https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
> If you want to be up-to-date with the release plan of 3.5.1 (contents,
> estimated timings and such) please check the `dev` mailing list as this
> information is usually shared there. The `user` mailing list usually gets
> notified when release candidates or new versions are created.
>
> Best,
>
> On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D 
> 
> wrote:
>
> > Gentle reminder!
> >
> > From: Sahil Sharma D
> > Sent: 26 June 2023 08:18 PM
> > To: users@kafka.apache.org
> > Subject: Release plan required for version 3.5.1
> > Importance: High
> >
> > Hi Team,
> >
> > There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted
> > due to this if we are using only client jar and kafka server.
> >
> > Below are the vulnerabilities that still open and we unable to find
> > any detail of these CVEs on jira. In which version these CVEs are
> > planned to be resolved?
> > CVE-2022-42003
> > CVE-2022-42004
> > CVE-2023-34454
> > CVE-2023-34453
> > CVE-2023-35116
> >
> > Kindly share the release plan for version 3.5.1.
> >
> > Regards,
> > Sahil
> >
>
>
> --
> [image: Aiven] <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F
> >
>
> *Josep Prat*
> Open Source Engineering Director, *Aiven*
> josep.p...@aiven.io   |   +491715557497
> aiven.io <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
>  |   <
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.facebook.com%2Faivencloud
> >
>   <https://www.linkedin.com/company/aiven/>   <
> https://twitter.com/aiven_io>
> *Aiven Deutschland GmbH*
> Alexanderufer 3-7, 10117 Berlin
> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht
> Charlottenburg, HRB 209739 B
>
>

RE: Release plan required for version 3.5.1

[Sahil Sharma D]

Gentle reminder!

-Original Message-
From: Sahil Sharma D 
Sent: 03 July 2023 04:39 PM
To: users@kafka.apache.org
Subject: RE: Release plan required for version 3.5.1

Hi,

That means below vulnerabilities are not appliable for kafka, right?
CVE-2022-42003
CVE-2022-42004
CVE-2023-34454
CVE-2023-34453
CVE-2023-35116

Regards,
Sahil

-Original Message-
From: Josep Prat 
Sent: 03 July 2023 02:02 PM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1

Hi Sahil,
Thanks for caring about Apache Kafka's security. One can fix this situation by 
replacing the affected jar file with the one containing the fix for the 
vulnerabilities. We plan to add a write up under Apache Kafka's CVE page.
Mind that Apache Kafka  doesn't typically do emergency releases for CVEs 
discovered in their dependencies unless affectation in Kafka itself is major.

That being said, if you take a look at the `dev` mailing list, you'll see that 
a maintainer already volunteered to be the release manager for 3.5.1:
https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
If you want to be up-to-date with the release plan of 3.5.1 (contents, 
estimated timings and such) please check the `dev` mailing list as this 
information is usually shared there. The `user` mailing list usually gets 
notified when release candidates or new versions are created.

Best,

On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D 
 wrote:

> Gentle reminder!
>
> From: Sahil Sharma D
> Sent: 26 June 2023 08:18 PM
> To: users@kafka.apache.org
> Subject: Release plan required for version 3.5.1
> Importance: High
>
> Hi Team,
>
> There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted 
> due to this if we are using only client jar and kafka server.
>
> Below are the vulnerabilities that still open and we unable to find 
> any detail of these CVEs on jira. In which version these CVEs are 
> planned to be resolved?
> CVE-2022-42003
> CVE-2022-42004
> CVE-2023-34454
> CVE-2023-34453
> CVE-2023-35116
>
> Kindly share the release plan for version 3.5.1.
>
> Regards,
> Sahil
>


--
[image: Aiven] 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>

*Josep Prat*
Open Source Engineering Director, *Aiven*
josep.p...@aiven.io   |   +491715557497
aiven.io 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
   |   
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.facebook.com%2Faivencloud>
  <https://www.linkedin.com/company/aiven/>   <https://twitter.com/aiven_io>
*Aiven Deutschland GmbH*
Alexanderufer 3-7, 10117 Berlin
Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht Charlottenburg, 
HRB 209739 B

RE: Release plan required for version 3.5.1

[Sahil Sharma D]

Hi,

That means below vulnerabilities are not appliable for kafka, right?
CVE-2022-42003
CVE-2022-42004
CVE-2023-34454
CVE-2023-34453
CVE-2023-35116

Regards,
Sahil

-Original Message-
From: Josep Prat  
Sent: 03 July 2023 02:02 PM
To: users@kafka.apache.org
Subject: Re: Release plan required for version 3.5.1

Hi Sahil,
Thanks for caring about Apache Kafka's security. One can fix this situation by 
replacing the affected jar file with the one containing the fix for the 
vulnerabilities. We plan to add a write up under Apache Kafka's CVE page.
Mind that Apache Kafka  doesn't typically do emergency releases for CVEs 
discovered in their dependencies unless affectation in Kafka itself is major.

That being said, if you take a look at the `dev` mailing list, you'll see that 
a maintainer already volunteered to be the release manager for 3.5.1:
https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
If you want to be up-to-date with the release plan of 3.5.1 (contents, 
estimated timings and such) please check the `dev` mailing list as this 
information is usually shared there. The `user` mailing list usually gets 
notified when release candidates or new versions are created.

Best,

On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D 
 wrote:

> Gentle reminder!
>
> From: Sahil Sharma D
> Sent: 26 June 2023 08:18 PM
> To: users@kafka.apache.org
> Subject: Release plan required for version 3.5.1
> Importance: High
>
> Hi Team,
>
> There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted 
> due to this if we are using only client jar and kafka server.
>
> Below are the vulnerabilities that still open and we unable to find 
> any detail of these CVEs on jira. In which version these CVEs are 
> planned to be resolved?
> CVE-2022-42003
> CVE-2022-42004
> CVE-2023-34454
> CVE-2023-34453
> CVE-2023-35116
>
> Kindly share the release plan for version 3.5.1.
>
> Regards,
> Sahil
>


--
[image: Aiven] 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>

*Josep Prat*
Open Source Engineering Director, *Aiven*
josep.p...@aiven.io   |   +491715557497
aiven.io 
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F>
   |   
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.facebook.com%2Faivencloud>
  <https://www.linkedin.com/company/aiven/>   <https://twitter.com/aiven_io>
*Aiven Deutschland GmbH*
Alexanderufer 3-7, 10117 Berlin
Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht Charlottenburg, 
HRB 209739 B

Re: Release plan required for version 3.5.1

[Josep Prat]

Hi Sahil,
Thanks for caring about Apache Kafka's security. One can fix this situation
by replacing the affected jar file with the one containing the fix for the
vulnerabilities. We plan to add a write up under Apache Kafka's CVE page.
Mind that Apache Kafka  doesn't typically do emergency releases for CVEs
discovered in their dependencies unless affectation in Kafka itself is
major.

That being said, if you take a look at the `dev` mailing list, you'll see
that a maintainer already volunteered to be the release manager for 3.5.1:
https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr
If you want to be up-to-date with the release plan of 3.5.1 (contents,
estimated timings and such) please check the `dev` mailing list as this
information is usually shared there. The `user` mailing list usually gets
notified when release candidates or new versions are created.

Best,

On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D
 wrote:

> Gentle reminder!
>
> From: Sahil Sharma D
> Sent: 26 June 2023 08:18 PM
> To: users@kafka.apache.org
> Subject: Release plan required for version 3.5.1
> Importance: High
>
> Hi Team,
>
> There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted due
> to this if we are using only client jar and kafka server.
>
> Below are the vulnerabilities that still open and we unable to find any
> detail of these CVEs on jira. In which version these CVEs are planned to be
> resolved?
> CVE-2022-42003
> CVE-2022-42004
> CVE-2023-34454
> CVE-2023-34453
> CVE-2023-35116
>
> Kindly share the release plan for version 3.5.1.
>
> Regards,
> Sahil
>


-- 
[image: Aiven] 

*Josep Prat*
Open Source Engineering Director, *Aiven*
josep.p...@aiven.io   |   +491715557497
aiven.io    |   
     
*Aiven Deutschland GmbH*
Alexanderufer 3-7, 10117 Berlin
Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen
Amtsgericht Charlottenburg, HRB 209739 B

RE: Release plan required for version 3.5.1

[Sahil Sharma D]

Gentle reminder!

From: Sahil Sharma D
Sent: 26 June 2023 08:18 PM
To: users@kafka.apache.org
Subject: Release plan required for version 3.5.1
Importance: High

Hi Team,

There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted due to 
this if we are using only client jar and kafka server.

Below are the vulnerabilities that still open and we unable to find any detail 
of these CVEs on jira. In which version these CVEs are planned to be resolved?
CVE-2022-42003
CVE-2022-42004
CVE-2023-34454
CVE-2023-34453
CVE-2023-35116

Kindly share the release plan for version 3.5.1.

Regards,
Sahil