Hi Sahil, Apache Kafka 3.5.1 is already released: https://kafka.apache.org/downloads
On Wed, Jul 26, 2023 at 9:08 AM Sahil Sharma D <sahil.d.sha...@ericsson.com.invalid> wrote: > Gentle reminder-2 > > -----Original Message----- > From: Sahil Sharma D > Sent: 12 July 2023 09:51 AM > To: users@kafka.apache.org > Subject: RE: Release plan required for version 3.5.1 > > Gentle reminder! > > -----Original Message----- > From: Sahil Sharma D > Sent: 03 July 2023 04:39 PM > To: users@kafka.apache.org > Subject: RE: Release plan required for version 3.5.1 > > Hi, > > That means below vulnerabilities are not appliable for kafka, right? > CVE-2022-42003 > CVE-2022-42004 > CVE-2023-34454 > CVE-2023-34453 > CVE-2023-35116 > > Regards, > Sahil > > -----Original Message----- > From: Josep Prat <josep.p...@aiven.io.INVALID> > Sent: 03 July 2023 02:02 PM > To: users@kafka.apache.org > Subject: Re: Release plan required for version 3.5.1 > > Hi Sahil, > Thanks for caring about Apache Kafka's security. One can fix this > situation by replacing the affected jar file with the one containing the > fix for the vulnerabilities. We plan to add a write up under Apache Kafka's > CVE page. > Mind that Apache Kafka doesn't typically do emergency releases for CVEs > discovered in their dependencies unless affectation in Kafka itself is > major. > > That being said, if you take a look at the `dev` mailing list, you'll see > that a maintainer already volunteered to be the release manager for 3.5.1: > https://lists.apache.org/thread/q8rxv7wo8mwvzs3d25hzy987xph7f7nr > If you want to be up-to-date with the release plan of 3.5.1 (contents, > estimated timings and such) please check the `dev` mailing list as this > information is usually shared there. The `user` mailing list usually gets > notified when release candidates or new versions are created. > > Best, > > On Mon, Jul 3, 2023 at 9:46 AM Sahil Sharma D > <sahil.d.sha...@ericsson.com.invalid> > wrote: > > > Gentle reminder! > > > > From: Sahil Sharma D > > Sent: 26 June 2023 08:18 PM > > To: users@kafka.apache.org > > Subject: Release plan required for version 3.5.1 > > Importance: High > > > > Hi Team, > > > > There is an vulnerability on snappy-java-1.1.8.4.jar, are we impacted > > due to this if we are using only client jar and kafka server. > > > > Below are the vulnerabilities that still open and we unable to find > > any detail of these CVEs on jira. In which version these CVEs are > > planned to be resolved? > > CVE-2022-42003 > > CVE-2022-42004 > > CVE-2023-34454 > > CVE-2023-34453 > > CVE-2023-35116 > > > > Kindly share the release plan for version 3.5.1. > > > > Regards, > > Sahil > > > > > -- > [image: Aiven] < > https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F > > > > *Josep Prat* > Open Source Engineering Director, *Aiven* > josep.p...@aiven.io | +491715557497 > aiven.io < > https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-4fde1f84294d975c&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.aiven.io%2F> > | < > https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-83e1421cb9381159&q=1&e=2478bc68-679b-40d9-944b-4cde1de3c2b7&u=https%3A%2F%2Fwww.facebook.com%2Faivencloud > > > <https://www.linkedin.com/company/aiven/> < > https://twitter.com/aiven_io> > *Aiven Deutschland GmbH* > Alexanderufer 3-7, 10117 Berlin > Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen Amtsgericht > Charlottenburg, HRB 209739 B > >
