Closed liujiyuan closed 1 year ago
cc: @edenhill
When will you finish it? Thanks a lot! @edenhill @mhowlett
This is being fixed for Windows builds by relying on vcpkgs for dependencies.
As for the v1.0.2 version of openssl is some of the builds; this is used on old Linux platforms (older centos) that don't have OpenSSL v1.1.1. These linux builds are used as fallbacks, the debian-based linux builds will have an up to date OpenSSL Version.
You can verify which OpenSSL version is used by setting debug=security
and security.protocol=SSL
in a test application.
using Confluent.Kafka 1.9.0 seems to be using OpenSSL 1.1.1n which has several vulnerabilities which were fixed recently: https://www.openssl.org/news/vulnerabilities.html I know this since 'libcrypto-1_1-x64.dll' & 'libssl-1_1-x64' have that version.
Can this be upgraded to use the latest OpenSSL 1.1.1q that fixes these vulnerabilities? @edenhill I guess this has to be done in librdkafka first?
Also 'libcurl' version being used is 7.82 which as well has vulnerabilties: https://curl.se/docs/vulnerabilities.html Can this be upgraded to the latest 7.84. @edenhill again I think this needs to be fixed/upgraded in librdkafka first?
https://github.com/edenhill/librdkafka/releases/tag/v1.9.2
closing, though this is an ongoing battle (updating dependencies to address vulnerabilities). feel free to report future security issues directly on the librdkafka repo - the .net client will always depend on the latest librdkafka release.
Description
the current version of lz4(zlib v1.2.8:[CVE-2016-9840, CVE-2016-9842,CVE-2016-9843,CVE-2016-9841]) and openssl (v1.0.2r:CVE-2021-23840,v1.0.2o:CVE-2018-0732) has security leaks. need to upgrade lz4 to v1.2.11 and openssl to v1.1.1
How to reproduce
so how to upgrade lz4 and openssl? or could you upgrade and pack to nuget.org?Thanks.
Checklist
Please provide the following information: