Upgrade to Kafka client v2.8.1 to address timing attack issue

Question

Upgrade to Kafka client v2.8.1 to address timing attack issue

marko-asplund opened this issue 3 years ago · 3 comments

Snyk scan reports the following issue for our service that uses fs2-kafka v2.2.0

  ✗ Timing Attack [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEKAFKA-1540737] in org.apache.kafka:kafka-clients@2.8.0
    introduced by com.foo:barlib_2.13@0.1.0-SNAPSHOT > com.github.fd4s:fs2-kafka_2.13@2.2.0 > org.apache.kafka:kafka-clients@2.8.0 and 2 other path(s)
  This issue was fixed in versions: 2.8.1, 2.7.2

Looks like series/2.x branch has already upgraded to Kafka client v2.8.1, but would someone be able to cut a release with this dependency upgrade @bplommer.

Answer 1 · 2022-01-02T12:58:53.000Z

I'll cut a new release ASAP. In the meantime, users can resolve the issue by explicitly depending on the newer version of kafka-client.

Answer 2 · 2022-01-02T15:57:25.000Z

I'll cut a new release ASAP. In the meantime, users can resolve the issue by explicitly depending on the newer version of kafka-client.

Awesome - thanks @bplommer ! 🙇

Answer 3 · 2022-01-08T17:34:36.000Z

Resolved in v1.9.0 and v2.3.0.