Affected by CVE-2018-25032?
sed-main opened this issue · 1 comments
Scanning over the recently published images cp-kafka-connect:7.0.2/cp-kafka-connect:5.5.8 using trivy revealed, that zlib 1.2.11 is still present. Fittingly, I found no stance on that topic in https://support.confluent.io/hc/en-us/categories/202742828-Announcements or security release notes.
I would like to ask you, if kafka might be using zlib for compression reasons or if we may ignore that.
I performed an lsof in our sending component providing records for the container in question; on that environment the thread for the kafka producer used libzip.so, which requires libz.so as dynamic dependency. I thus was under the impression, that this is the case.
Thanks in advance!
Please bring your findings and query to the Confluent Trust & Security Team: https://www.confluent.io/trust-and-security/