search

strimzi / strimzi-kafka-oauth

OAuth2 support for Apache Kafka® to work with many OAuth2 authorization servers
Apache License 2.0
146 stars 90 forks source link

Strimzi-Kafka-Oauth jsonpath to 2.8.0 due to CVE-2023-1370 #197

Open cesaroangelo opened 1 year ago

cesaroangelo commented 1 year ago

Hello,

Looking at the latest commits, the jsonpath library is being upgraded to 2.8.0 and that implies the upgrade of the json-smart to 2.4.10 fixing the CVE-2023-1370.

+--- io.strimzi:kafka-oauth-common:0.12.0
|    +--- com.nimbusds:nimbus-jose-jwt:9.10 -> 9.31 (*)
|    +--- com.fasterxml.jackson.core:jackson-databind:2.13.4.2 -> 2.14.2 (*)
|    \--- com.jayway.jsonpath:json-path:2.6.0
|         +--- net.minidev:json-smart:2.4.7
|         |    \--- net.minidev:accessors-smart:2.4.7

I have a question about this, is there a rough ETA regarding the next release?

regards, Angelo

mstruk commented 1 year ago

OAuth 0.13.0 CR1 is just around the corner with GA early next week.