Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Bump Kafka, Spring, Snappy fixing vulns

Description

Upgrade kafkaclients from 3.3.2 to 3.6.0.

This fixes Deserialization of Untrusted Data in kafkaclients:
https://nvd.nist.gov/vuln/detail/CVE-2023-25194

The kafkaclients upgrade indirectly upgrades snappy-java from 1.1.8.4 to 1.1.10.4 fixing Allocation of Resources Without Limits or Throttling, Denial of Service (DoS), and Integer Overflow or Wraparound:
https://nvd.nist.gov/vuln/detail/CVE-2023-43642
https://nvd.nist.gov/vuln/detail/CVE-2023-34455
https://nvd.nist.gov/vuln/detail/CVE-2023-34454
https://nvd.nist.gov/vuln/detail/CVE-2023-34453

Upgrade Spring from 5.3.23 to 5.3.30 fixing spring-expression vulnerabilities:
https://nvd.nist.gov/vuln/detail/CVE-2023-20863
https://nvd.nist.gov/vuln/detail/CVE-2023-20861

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Kateryna Senchenko December 8, 2023 at 12:46 PM

Thank you , closing this ticket

Ruslan Lavrov December 5, 2023 at 10:55 PM

Hi , this Jira does not require any certain testing, so it can be closed. I did an import using the default job profile, just in case to double-check that with the upgraded dependencies, nothing has been affected. Thank you!

Julian Ladisch November 29, 2023 at 3:29 PM

kafka-junit has been updates, the build succeeds now.

Aliaksandr Fedasiuk November 27, 2023 at 3:10 PM

Build log:

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Folijet

Parent

Fix versions

Release

Poppy (R2 2023) Bug Fix

RCA Group

Related dependency upgrade

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created November 15, 2023 at 4:31 PM
Updated March 26, 2024 at 11:40 PM
Resolved December 1, 2023 at 10:24 AM
TestRail: Cases
TestRail: Runs