Skip to content

[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to address CVE-2025-27818 #24564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lhotari merged 2 commits into from
Jul 25, 2025
Merged

[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to address CVE-2025-27818 #24564

lhotari merged 2 commits into from
Jul 25, 2025

Conversation

@lhotari
Copy link
Member

@lhotari lhotari commented Jul 25, 2025

Motivation

Kafka clients before 3.9.1 include CVE-2025-27818. Kafka clients are used in Pulsar IO Connectors.

Modifications

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
b8d8559 
…dress CVE-2025-27818

- set the Confluent Platform version to 7.9.x so that is matches Kafka 3.9.x
  as explained in https://docs.confluent.io/platform/current/installation/versions-interoperability.html#cp-and-apache-ak-compatibility
- Apache Pulsar IO Connectors include ASL 2.0 licensed dependencies from Confluent Platform:
  - io.confluent:kafka-connect-avro-converter
  - io.confluent:kafka-schema-registry-client
  - io.confluent:kafka-avro-serializer
@lhotari lhotari added this to the 4.1.0 milestone Jul 25, 2025
@lhotari lhotari requested a review from codelipenghui July 25, 2025 14:11
@lhotari lhotari self-assigned this Jul 25, 2025
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jul 25, 2025
@lhotari lhotari mentioned this pull request Jul 25, 2025
Merged
4 tasks
david-streamlio
david-streamlio approved these changes Jul 25, 2025
View reviewed changes
Copy link
Contributor

@david-streamlio david-streamlio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM +1

Apurva007
Apurva007 approved these changes Jul 25, 2025
View reviewed changes
Copy link
Contributor

@Apurva007 Apurva007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codecov-commenter
Copy link

codecov-commenter commented Jul 25, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.29%. Comparing base (bbc6224) to head (968d33c).
⚠️ Report is 1250 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #24564      +/-   ##
============================================
+ Coverage     73.57%   74.29%   +0.72%     
+ Complexity    32624    32605      -19     
============================================
  Files          1877     1876       -1     
  Lines        139502   146322    +6820     
  Branches      15299    16780    +1481     
============================================
+ Hits         102638   108715    +6077     
- Misses        28908    28971      +63     
- Partials       7956     8636     +680
Flag Coverage Δ
inttests 26.72% <ø> (+2.13%) ⬆️
systests 23.33% <ø> (-0.99%) ⬇️
unittests 73.80% <ø> (+0.95%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1113 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@lhotari lhotari merged commit 4418201 into apache:master Jul 25, 2025
93 of 97 checks passed
lhotari added a commit that referenced this pull request Jul 25, 2025
@lhotari
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
d1724da 
…dress CVE-2025-27818 (#24564)

(cherry picked from commit 4418201)
lhotari added a commit that referenced this pull request Jul 25, 2025
@lhotari
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
a777d0a 
…dress CVE-2025-27818 (#24564)

(cherry picked from commit 4418201)
lhotari added a commit that referenced this pull request Jul 25, 2025
@lhotari
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
9d3f091 
…dress CVE-2025-27818 (#24564)

(cherry picked from commit 4418201)
nodece pushed a commit to ascentstream/pulsar that referenced this pull request Jul 28, 2025
@lhotari @nodece
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
7888863 
…dress CVE-2025-27818 (apache#24564)

(cherry picked from commit 4418201)
nodece pushed a commit to ascentstream/pulsar that referenced this pull request Jul 28, 2025
@lhotari @nodece
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
bbb249d 
…dress CVE-2025-27818 (apache#24564)

(cherry picked from commit 4418201)
priyanshu-ctds pushed a commit to datastax/pulsar that referenced this pull request Jul 28, 2025
@lhotari @priyanshu-ctds
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
b3a2b5a 
…dress CVE-2025-27818 (apache#24564)

(cherry picked from commit 4418201)
(cherry picked from commit a777d0a)
priyanshu-ctds pushed a commit to datastax/pulsar that referenced this pull request Jul 28, 2025
@lhotari @priyanshu-ctds
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
2d34bf7 
…dress CVE-2025-27818 (apache#24564)

(cherry picked from commit 4418201)
(cherry picked from commit d1724da)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Jul 29, 2025
@lhotari @srinath-ctds
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
1110c78 
…dress CVE-2025-27818 (apache#24564)

(cherry picked from commit 4418201)
(cherry picked from commit d1724da)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Jul 30, 2025
@lhotari @srinath-ctds
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
c8aaae5 
…dress CVE-2025-27818 (apache#24564)

(cherry picked from commit 4418201)
(cherry picked from commit d1724da)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Jul 31, 2025
@lhotari @srinath-ctds
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
be32a29 
…dress CVE-2025-27818 (apache#24564)

(cherry picked from commit 4418201)
(cherry picked from commit a777d0a)
KannarFr pushed a commit to CleverCloud/pulsar that referenced this pull request Sep 22, 2025
@lhotari @KannarFr
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
987bb2d 
…dress CVE-2025-27818 (apache#24564)
walkinggo pushed a commit to walkinggo/pulsar that referenced this pull request Oct 8, 2025
@lhotari @walkinggo
[fix][sec] Upgrade Kafka connector and clients version to 3.9.1 to ad…
8fdebe4 
…dress CVE-2025-27818 (apache#24564)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@david-streamlio david-streamlio david-streamlio approved these changes

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

@merlimat merlimat Awaiting requested review from merlimat

+1 more reviewer

@Apurva007 Apurva007 Apurva007 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@lhotari lhotari

Labels

area/security cherry-picked/branch-3.0 cherry-picked/branch-3.3 cherry-picked/branch-4.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.13 release/3.3.8 release/4.0.6

Projects

None yet

Milestone

4.1.0

Development

Successfully merging this pull request may close these issues.

4 participants

@lhotari @codecov-commenter @Apurva007 @david-streamlio