Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update confluent version to fix CVE-2024-26308 CVE-2024-25710 #32674

Merged
merged 5 commits into from
Dec 11, 2024

Conversation

stankiewicz
Copy link
Contributor

@stankiewicz stankiewicz commented Oct 7, 2024

Kafka Schema Registry Client has been reported with following vuln CVE-2024-26308
CVE-2024-25710 due to vulnerable dependencies.

fixes: #32675

Please add a meaningful description for your change here


Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

  • Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
  • Update CHANGES.md with noteworthy changes.
  • If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

Build python source distribution and wheels
Python tests
Java tests
Go tests

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

Kafka Schema Registry Client has been reported with following vuln 
CVE-2024-26308
CVE-2024-25710 due to vulnerable dependencies.
Copy link
Contributor

github-actions bot commented Oct 7, 2024

Checks are failing. Will not request review until checks are succeeding. If you'd like to override that behavior, comment assign set of reviewers

@johnjcasey
Copy link
Contributor

Thanks for starting on this change! Can you try to resolve the precommit issues?

@stankiewicz
Copy link
Contributor Author

on it, I had troubles reproducing the issue.

@stankiewicz
Copy link
Contributor Author

@johnjcasey can you help me dig error messages for KafkaIOT tests (e.g link to gcp console with this test..) Failing check is not giving too many detals.

@stankiewicz
Copy link
Contributor Author

I've run ./gradlew :sdks:python:test-suites:direct:crossLanguageWrapperValidationPreCommit --info locally and I don't have any errors. Is it flaky?

@stankiewicz
Copy link
Contributor Author

Run Xlang_Generated_Transforms PreCommit

@stankiewicz
Copy link
Contributor Author

ok, found why we have checks failing - fix in flight here - #33353

Copy link
Contributor

Assigning reviewers. If you would like to opt out of this review, comment assign to next reviewer:

R: @robertwb for label java.
R: @ahmedabu98 for label io.
R: @fozzie15 for label kafka.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

@johnjcasey
Copy link
Contributor

Can you update the PR name / description? this looks like a revert from 7.6 to 7.5

@stankiewicz stankiewicz changed the title bump confluent version to fix CVE-2024-26308 CVE-2024-25710 Update confluent version to fix CVE-2024-26308 CVE-2024-25710 Dec 11, 2024
@johnjcasey johnjcasey merged commit a272823 into apache:master Dec 11, 2024
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: KafkaIO pulls dependency vulnerable to CVE-2024-26308 and CVE-2024-25710
2 participants