Upgrade to Kafka client v2.8.1 to address timing attack issue
marko-asplund opened this issue · 3 comments
marko-asplund commented
Snyk scan reports the following issue for our service that uses fs2-kafka v2.2.0
✗ Timing Attack [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEKAFKA-1540737] in org.apache.kafka:kafka-clients@2.8.0
introduced by com.foo:barlib_2.13@0.1.0-SNAPSHOT > com.github.fd4s:fs2-kafka_2.13@2.2.0 > org.apache.kafka:kafka-clients@2.8.0 and 2 other path(s)
This issue was fixed in versions: 2.8.1, 2.7.2
Looks like series/2.x branch has already upgraded to Kafka client v2.8.1, but would someone be able to cut a release with this dependency upgrade @bplommer.
bplommer commented
I'll cut a new release ASAP. In the meantime, users can resolve the issue by explicitly depending on the newer version of kafka-client.
marko-asplund commented
I'll cut a new release ASAP. In the meantime, users can resolve the issue by explicitly depending on the newer version of kafka-client.
Awesome - thanks @bplommer ! 🙇
bplommer commented
Resolved in v1.9.0 and v2.3.0.