Re: [I] Publish Iceberg kafka connect runtime to Confluent hub [iceberg]

Tue, 15 Jul 2025 06:37:24 -0700 


rmoff commented on issue #10745:
URL: https://github.com/apache/iceberg/issues/10745#issuecomment-3073630730

   I got this back from my colleague.
   
   [Trivy](https://trivy.dev/latest/) identified some CVE issues, which blocks 
us being able to list the connector.
   
   ```
   Vulnerability Details:
   Library: commons-beanutils:commons-beanutils (commons-beanutils-1.9.4.jar)
   Vulnerability: CVE-2025-48734
   Severity: HIGH
   Status: Fixed
   Installed Version: 1.9.4
   Fixed Version: 1.11.0
   Title: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an 
enum's declaredClass property...
   Link: https://avd.aquaseac.com/nvd/cve-2025-48734
   Library: io.netty:netty-handler (netty-handler-4.1.115.Final.jar)
   Vulnerability: CVE-2025-24970
   Severity: HIGH
   Status: (Missing in provided data, assuming "unfixed" or "pending fix" if no 
gRPC release yet)
   Installed Version: 4.1.115.Final
   Fixed Version: 4.1.118.Final
   Title: SslHandler doesn't correctly validate packets which can lead to 
native crash...
   Link: https://avd.aquaseac.com/nvd/cve-2025-24970
   Library: net.minidev:json-smart (json-smart-2.5.1.jar)
   Vulnerability: CVE-2024-57699
   Severity: HIGH
   Status: (Missing in provided data, assuming "unfixed" or "pending fix" if no 
gRPC release yet)
   Installed Version: 2.5.1
   Fixed Version: 2.5.2
   Title: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)
   Link: https://avd.aquaseac.com/nvd/cve-2024-57699
   ```
   
   They built it as follows:
   
   ```
   git clone g...@github.com:apache/iceberg.git
   cd iceberg
   git checkout apache-iceberg-1.9.1
   
   # Verify the commit hash - To confirm you're on the correct official release 
(not an RC):
   git rev-parse HEAD
   # Should return: e2c32ec0e9fc39cd4a29d2e2a69888bbf86ad1e5
   
   # Clean and build with the desired version explicitly set
   ./gradlew -Prelease -Pbuild.version=1.9.1 \
     :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip \
     -x test -x integrationTest
   ```
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to