Closed jamielwhite closed 4 months ago
jvdadda
commented
5 months ago I made a PR about it: https://github.com/aws/aws-msk-iam-auth/pull/181
Do not hesitate to initiate it next time if you can.
And waiting the PR merge and release, you can manually upgrade awssdk version, there is no identified incompatibilities with newer versions
jamielwhite
commented
5 months ago Thanks! We are downloading the packaged jar directly from GitHub in some cases, so we aren't able to override the version in all of our apps.
sidyag
commented
4 months ago Fixed with release 2.2.0
github-actions[bot]
commented
4 months ago This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.
My team upgraded to the latest release (2.1.1) hoping it would remediate a vulnerability flagged by our scanning software, but it's still identifying a vulnerability for CVE-2024-29025 through this path:
aws-msk-iam-auth-2.1.1-all.jar -> software.amazon.awssdk:2.23.3 -> netty-codec-http:4.1.100.Final
The vulnerability was remediated in netty-codec-http:4.1.108.Final, which is used as of awssdk version 2.25.19. Are there any plans to upgrade the aws-sdk version used by this library?