Created attachment 246875 [details] port patch net/kafka: update to v3.6.1
^Triage: Bugfix release, merge to quarterly branch. (CVE-2023-4586) ^Triage: Security release, merge to quarterly branch. ^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval. -- Attachment -> Details -> maintainer-approval [+] Thanks! Note to self: Add VuXML entry.
(In reply to Fernando Apesteguía from comment #1) That should have been CVE-2023-44981
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a991db5e17fa496ec31e0416b8dd8ee357dbee0e commit a991db5e17fa496ec31e0416b8dd8ee357dbee0e Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-12-10 17:05:14 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-10 17:07:55 +0000 security/vuxml: Record kafka vulnerability Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. Note that this only affects SASL Quorum Peer authentication which is not enabled by default. Base Score: 9.1 CRITICAL Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N PR: 275611 security/vuxml/vuln/2023.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=452f0014ea7e0a1495dbbd29ae30955ca7d7f1f0 commit 452f0014ea7e0a1495dbbd29ae30955ca7d7f1f0 Author: Pavel Timofeev <timp87@gmail.com> AuthorDate: 2023-12-09 12:58:28 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-10 17:24:24 +0000 net/kafka: update to v3.6.1 ChangeLog: https://downloads.apache.org/kafka/3.6.1/RELEASE_NOTES.html Improvement * In Java-client, backoff should be skipped for retried producer-batch to a new leader * Upgrade ZooKeeper to 3.8.3 Bug * block-cache-capacity metrics worth twice as much as normal * Gradle build fails with missing commitId after git gc * Concurrency bug in RemoteIndexCache leads to IOException * RackId doesn't exist error while running WordCountDemo * Handle large keystores in SslEngineValidator * Duplicate Producer ID blocks during ZK migration * StateRestoreListener#onRestoreSuspended is never called because wrapper DelegatingStateRestoreListener doesn't implement onRestoreSuspended * Breaking change in 3.4.0 ByteBufferSerializer * Topics marked for deletion in ZK are incorrectly migrated to KRaft * Possible NPE is thrown in MirrorCheckpointTask * Fix CVE-2023-4586 in netty:handler * NPE in ChunkedByteStream * Zookeeper.jar | CVE-2023-44981 * Partition-Count is not getting updated Correctly in the Incremental Co-operative Rebalancing(ICR) Mode of Rebalancing * Disabling scheduled rebalance delay in Connect can lead to indefinitely unassigned connectors and tasks * LeaveGroupResponse v0-v2 should handle no members * ProduceRequest#partitionSizes() is not an atomic operation * ZK brokers incorrectly handle KRaft metadata snapshots * Malformed connect source offsets corrupt other partitions with DataException * Trying to access uncopied segments metadata on listOffsets * KRaft controller writes empty state to ZK after migration Task * Add 3.5.0 to broker/client and streams upgrade/compatibility tests * Rolling upgrade system tests are failing * Remote log segments should be considered once for retention breach * Add 3.4.0 streams upgrade/compatibility tests Test * Add tests for RemoteIndexCache * Flaky test ZkMigrationIntegrationTest.testMigrateTopicDeletions PR: 275611 Reported by: timp87@gmail.com MFH: 2023Q4 (security fix) Security: CVE-2023-4586 net/kafka/Makefile | 2 +- net/kafka/distinfo | 6 +++--- net/kafka/pkg-plist | 24 ++++++++++++------------ 3 files changed, 16 insertions(+), 16 deletions(-)
Committed and merged to 2023Q4, Thanks!
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=92795b2fe3d12632f463d2821ce67f46416f453e commit 92795b2fe3d12632f463d2821ce67f46416f453e Author: Pavel Timofeev <timp87@gmail.com> AuthorDate: 2023-12-09 12:58:28 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-12-10 17:27:01 +0000 net/kafka: update to v3.6.1 ChangeLog: https://downloads.apache.org/kafka/3.6.1/RELEASE_NOTES.html Improvement * In Java-client, backoff should be skipped for retried producer-batch to a new leader * Upgrade ZooKeeper to 3.8.3 Bug * block-cache-capacity metrics worth twice as much as normal * Gradle build fails with missing commitId after git gc * Concurrency bug in RemoteIndexCache leads to IOException * RackId doesn't exist error while running WordCountDemo * Handle large keystores in SslEngineValidator * Duplicate Producer ID blocks during ZK migration * StateRestoreListener#onRestoreSuspended is never called because wrapper DelegatingStateRestoreListener doesn't implement onRestoreSuspended * Breaking change in 3.4.0 ByteBufferSerializer * Topics marked for deletion in ZK are incorrectly migrated to KRaft * Possible NPE is thrown in MirrorCheckpointTask * Fix CVE-2023-4586 in netty:handler * NPE in ChunkedByteStream * Zookeeper.jar | CVE-2023-44981 * Partition-Count is not getting updated Correctly in the Incremental Co-operative Rebalancing(ICR) Mode of Rebalancing * Disabling scheduled rebalance delay in Connect can lead to indefinitely unassigned connectors and tasks * LeaveGroupResponse v0-v2 should handle no members * ProduceRequest#partitionSizes() is not an atomic operation * ZK brokers incorrectly handle KRaft metadata snapshots * Malformed connect source offsets corrupt other partitions with DataException * Trying to access uncopied segments metadata on listOffsets * KRaft controller writes empty state to ZK after migration Task * Add 3.5.0 to broker/client and streams upgrade/compatibility tests * Rolling upgrade system tests are failing * Remote log segments should be considered once for retention breach * Add 3.4.0 streams upgrade/compatibility tests Test * Add tests for RemoteIndexCache * Flaky test ZkMigrationIntegrationTest.testMigrateTopicDeletions PR: 275611 Reported by: timp87@gmail.com MFH: 2023Q4 (security fix) Security: CVE-2023-4586 (cherry picked from commit 452f0014ea7e0a1495dbbd29ae30955ca7d7f1f0) net/kafka/Makefile | 2 +- net/kafka/distinfo | 6 +++--- net/kafka/pkg-plist | 24 ++++++++++++------------ 3 files changed, 16 insertions(+), 16 deletions(-)