Hi PoAn, Yes we'll want to address these if possible. Scanners will also spot the plexus-utils CVE in the binaries. Even though looking at the code it's not exploitable.
Thanks, Mickael On Tue, Apr 14, 2026 at 1:18 PM PoAn Yang <[email protected]> wrote: > > Hi Mickael, > > I built image for 4.2.1-rc0 and found three CVE. Do we also want to add this > to 4.3.0? > > Failed Docker Build Test CI: > JVM: https://github.com/apache/kafka/actions/runs/24325917628/job/71021064066 > Native: > https://github.com/apache/kafka/actions/runs/24333619117/job/71044984045 > > JVM image: https://issues.apache.org/jira/browse/KAFKA-20373 > > Native image: > https://issues.apache.org/jira/browse/KAFKA-20446 > https://issues.apache.org/jira/browse/KAFKA-20447 > > Thanks, > PoAn > > > On Apr 13, 2026, at 10:30 PM, Mickael Maison <[email protected]> > > wrote: > > > > Hi PoAn, > > > > Yes having these changes in 4.3 would be useful. > > > > Thanks, > > Mickael > > > > On Mon, Apr 13, 2026 at 1:52 PM PoAn Yang <[email protected]> wrote: > >> > >> Hi Mickael, > >> > >> I have some PRs related to trivy action and release.py. Can I backport > >> them to 4.3 branch? > >> > >> 1. Change trivy action to approved one in apache/infrastructure-actions. > >> > >> https://github.com/apache/kafka/commit/eb6ce0e3d9c22ea1c34ecca293555f9fcad17981 > >> https://github.com/apache/kafka/commit/acd37fc30c5fdbbae772144c73b4f2c7e1c21d27 > >> > >> 2. Update release.py to remove -SNAPSHOT in version.py, so we don’t get > >> error in StreamsUpgradeTest.test_app_upgrade e2e. > >> > >> https://github.com/apache/kafka/pull/22031 > >> > >> Thanks, > >> PoAn > >> > >>> On Apr 11, 2026, at 10:55 PM, Lianet Magrans <[email protected]> wrote: > >>> > >>> Hi Mickael, > >>> > >>> I just merged the fix for the recent blocker > >>> https://issues.apache.org/jira/browse/KAFKA-20428 > >>> > >>> Thanks! > >>> Lianet > >>> > >>> On Fri, Apr 10, 2026 at 7:07 PM Matthias J. Sax <[email protected]> wrote: > >>> > >>>> Thanks. PR got merged. > >>>> > >>>> > >>>> -Matthias > >>>> > >>>> On 4/10/26 12:32 PM, Mickael Maison wrote: > >>>>> Hi Matthias, > >>>>> > >>>>> Yes let's revert that commit. > >>>>> > >>>>> Thanks, > >>>>> Mickael > >>>>> > >>>>> On Fri, Apr 10, 2026 at 8:43 PM Matthias J. Sax <[email protected]> > >>>> wrote: > >>>>>> > >>>>>> Hey Mickael, > >>>>>> > >>>>>> I just realized that we did merge a PR to trunk (before 4.3 branch cut) > >>>>>> to add a new config for KIP-1071, but we are still not using this > >>>>>> config. To avoid confusing users, I propose to revert this change in > >>>>>> 4.3. Prepared a PR for its. Please let me know if that's ok to merge. > >>>>>> > >>>>>> https://github.com/apache/kafka/pull/22020 > >>>>>> > >>>>>> > >>>>>> -Matthias > >>>>>> > >>>>>> > >>>>>> On 3/30/26 11:22 AM, Justine Olshan via dev wrote: > >>>>>>> I'll be picking a small bugfix to 4.3 -- KAFKA-20310, just missed the > >>>>>>> branch cut and it's a bugfix. > >>>>>>> > >>>>>>> On Mon, Mar 30, 2026 at 9:58 AM Matthias J. Sax <[email protected]> > >>>> wrote: > >>>>>>> > >>>>>>>> I took the liberty to update the release wiki page, adding KIP-1271 > >>>>>>>> as > >>>>>>>> "completed" -- it was incorrectly listed as postponed. > >>>>>>>> > >>>>>>>> The Jira ticket is still open, as we add more test etc, but the KIP > >>>>>>>> is > >>>>>>>> already completed. > >>>>>>>> > >>>>>>>> > >>>>>>>> -Matthias > >>>>>>>> > >>>>>>>> On 3/30/26 9:25 AM, Mickael Maison wrote: > >>>>>>>>> Hi Jose, > >>>>>>>>> > >>>>>>>>> Yes you can apply that to 4.3. > >>>>>>>>> > >>>>>>>>> Thanks, > >>>>>>>>> Mickael > >>>>>>>>> > >>>>>>>>> On Mon, Mar 30, 2026 at 6:08 PM José Armando García Sancio via dev > >>>>>>>>> <[email protected]> wrote: > >>>>>>>>>> > >>>>>>>>>> Hi Mickael, > >>>>>>>>>> > >>>>>>>>>> I merged KAFKA-19541 to the 4.3 branch as discussed earlier. > >>>>>>>>>> > >>>>>>>>>> I also just merged a bug fix (1) to trunk for the issue KAFKA-19851 > >>>>>>>>>> (2) introduced in the 4.0 release. Some users have encountered this > >>>>>>>>>> issue. The workaround is to delete all configurations removed by AK > >>>>>>>>>> 4.0. It would be nice to make this fix available in the 4.3 > >>>>>>>>>> release. > >>>>>>>>>> What do you think? > >>>>>>>>>> > >>>>>>>>>> (1) > >>>>>>>> > >>>> https://github.com/apache/kafka/commit/a35d6492fbf8068cdb025419178434cbae3a991b > >>>>>>>>>> (2) https://issues.apache.org/jira/browse/KAFKA-19851 > >>>>>>>>>> > >>>>>>>>>> Thanks, > >>>>>>>>>> -- > >>>>>>>>>> -José > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>> > >>>> > >> >
