librdkafka icon indicating copy to clipboard operation
librdkafka copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

zlib library security vulnerability through to version 1.3

Open MiikaL opened this issue 1 year ago • 1 comments

Description

We use the Confluent.Kafka nuget which makes use of librdkafka, and we are receiving a security warning about the version of zlib in use:

One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': zlib1.dll: CVE-2023-45853(9.8), CVE-2002-0059(9.8), CVE-2022-37434(9.8)

https://nvd.nist.gov/vuln/detail/CVE-2023-45853

Checklist

IMPORTANT: We will close issues where the checklist has not been completed.

Please provide the following information:

  • [x] librdkafka version (release number or git tag): 2.3.1
  • [x] Apache Kafka version: N/A
  • [x] librdkafka client configuration: N/A
  • [x] Operating system: windows
  • [x] Provide logs (with debug=.. as necessary) from librdkafka
  • [x] Provide broker log excerpts
  • [x] Critical issue

MiikaL avatar Mar 19 '24 16:03 MiikaL

Thank you for the report. We are in the process of resolving this issue.

janjwerner-confluent avatar May 06 '24 14:05 janjwerner-confluent

Resolved in https://github.com/confluentinc/librdkafka/pull/4706

janjwerner-confluent avatar Jun 17 '24 09:06 janjwerner-confluent

Not resolved, this file (https://github.com/confluentinc/librdkafka/blob/v2.5.0/vcpkg.json) packages 1.3 version of zlib for the windows package.

Even though there is code (for the linux version?) that downloads the 1.3.1 version of zlib (https://github.com/confluentinc/librdkafka/blob/v2.5.0/mklove/modules/configure.zlib)

MiikaL avatar Aug 13 '24 06:08 MiikaL

I have continued the issue in https://github.com/confluentinc/librdkafka/issues/4813

MiikaL avatar Aug 13 '24 06:08 MiikaL