Open
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #25 +/- ##
=========================================
Coverage 27.88% 27.88%
Complexity 28 28
=========================================
Files 15 15
Lines 269 269
Branches 5 5
=========================================
Hits 75 75
Misses 192 192
Partials 2 2 ☔ View full report in Codecov by Sentry. |
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
0bde9a6 to
13dac88
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
13dac88 to
c26fc3a
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
c26fc3a to
80679c3
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
2 times, most recently
from
78f9514 to
29339c6
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
29339c6 to
df30799
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
df30799 to
00e6d18
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
00e6d18 to
5e9bc44
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
5e9bc44 to
fde30dc
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
fde30dc to
fe445b4
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
fe445b4 to
9a6ad76
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
9a6ad76 to
1c7e60e
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
1c7e60e to
a1c732d
Compare
renovate
bot
force-pushed
the
renovate/all-maven-minor-patch
branch
from
a1c732d to
3b8e7de
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.8.2→2.9.113.1.0→3.9.11.7.35→1.7.361.18.22→1.18.42GitHub Vulnerability Alerts
CVE-2023-34040
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.
Specifically, an application is vulnerable when all of the following are true:
By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.
CVE-2024-31141
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients.
Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables.
In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.
In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products.
This issue affects Apache Kafka Clients: from from 2.3.0 through 3.5.2, 3.6.0 through 3.6.2, and 3.7.0.
Users with affected applications are recommended to upgrade kafka-clients to version >=3.8.0, and set the JVM system property "org.apache.kafka.automatic.config.providers=none".
Users of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config are also recommended to add appropriate "allowlist.pattern" and "allowed.paths" to restrict their operation to appropriate bounds.
For users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property.
For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.
CVE-2025-27817
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products.
Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly.
Release Notes
spring-projects/spring-kafka (org.springframework.kafka:spring-kafka)
v2.9.11Compare Source
⭐ New Features
🐞 Bug Fixes
🔨 Dependency Upgrades
External Links
v2.9.10Compare Source
⭐ New Features
🐞 Bug Fixes
🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@antonio-tomac and @edanidzerda
External Links
v2.9.9Compare Source
🐞 Bug Fixes
🔨 Dependency Upgrades
External Links
v2.9.8Compare Source
⭐ New Features
🐞 Bug Fixes
🔨 Dependency Upgrades
External Links
v2.9.7Compare Source
🐞 Bug Fixes
🔨 Dependency Upgrades
External Links
v2.9.6Compare Source
⭐ New Features
🐞 Bug Fixes
@Nullable#2585📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@cenkakin and @jucosorin
External Links
v2.9.5Compare Source
⭐ New Features
🐞 Bug Fixes
📔 Documentation
🔨 Dependency Upgrades
🔨 Tasks
❤️ Contributors
Thank you to all the contributors who worked on this release:
@jucosorin and @truepele
External Links
v2.9.4Compare Source
🐞 Bug Fixes
📔 Documentation
❤️ Contributors
Thank you to all the contributors who worked on this release:
@mikael-carlstedt
v2.9.3Compare Source
Change log:
5a412d8Upgrade Versions; Prepare for Release91ac6d2GH-2477: Fix Static State RetryTopicConfigSupport8c15f7dFix Missing Re-Interrupt42f654dRevert KafkaAdmin Change (Previous Commit)30d2b89Fix Missing Re-Interrupts65bbdb6Add KafkaTestUtils methods using Duration for timeout (2.9) (#2468)c92ec76GH-2464: Fix Delivery Attempt Header (Rare)921e6aeGH-2459: Resolve Sonar Issuesf9f6a55@RetryableTopic More SpEL Support5c70ec1GH-2459: FallbackBatchErrorHandler Retryable Ex2966c7dGH-2451: Fix Class Level Listener Multi Instances9e07035GH-2352: Fix Doc Typo2bf7d62GH-2352: Expose KLERegistrar Getter on BPPv2.9.2Compare Source
Change log:
6b938e4Upgrade Versions; Prepare for Releasee455431GH-2438: RetryTopic Destination Partition Select58aa8b1GH-2432: Remove Unnecessary Variable9850af5GH-2432: Fix Retryable Topic Provisioningcb5c36bGH-2410: Disallow nack() with Out of Order Commits91507a9Update config example type in docc69791eAdd Acknowledgment.nack() variants accepting Duration43bc67aFix Race In Test3850a01GH-2419: DLPR: Protect Against Non-Compliant PF5c776cdGH-2387: Fix FallbackBatchErrorHandler Events7c648d7Don't Use kafka.common.KafkaException in Broker766333cGH-2415: Doc for DeserializationEx... with DLPR8ad588eGH-2395: RetryListener - Add Batch Methodsf584d8fUpgrade Apache Kafka to 3.2.35fed903GH-2400: ReplyingKT Improve CorrelationId Loggingv2.9.1Compare Source
Change log:
fabdcb7Upgrade Versions; Prepare for Release5efa335Upgrade Apache Kafka to 3.2.24fdedd7GH-2184: Don't Log KafkaBackoffException8336461Deprecate ListenableFuture Callback Extensionsea6fa8fAdd Missing Pause/Resume Events781e726GH-2382: Fix Unchecked Cast in Test2eacf7aRemove Another Dead Link from Change History8f6fd87Remove Dead Links from Change History7da485aFix Duplicate Doc Anchorsf9419c2Fix typo in whats-new.adoc6a28cc5GH-2382: Fix FBEH Cross Talk798dea3GH-2375: Add KLER.unregisterListenerContainer90c6e95GH-2357: Remove Remaining Uses of ListenableFuturev2.9.0Compare Source
Change log:
7a3223dUpgrade Versions; Prepare for Release295b68cGH-2357: Fix Sonar Issues128372fGH-2357: Switch to CompletableFuturea4ee066GH-2355: Add ManualAckListenerErrorHandler (#2356)e682c87GH-2350: Fix Paused Partitions After Rebalance2732303GH-2344: AggReplyingKT Support Custom Correlationb1d97b9GH-2345: Fix Possible NPE in KafkaAdmin4e6d59cSonar Fixese579c62Fix for Java 8 compatibilitydd981e1GH-2239: Fix Boot AutoConfiguration15e5668GH-2340: Fix Retrying Batch Error Handlinge220b17Sonar Fixes11e03c9GH-2262: Fix Possible NPEf7cbbfeSonar Fixesv2.8.11Compare Source
Change log:
e31e639Upgrade Versions; Prepare for Release5df71c1Fix Missing Re-Interrupta9b0252Revert KafkaAdmin Change (Previous Commit)8c2b325Fix Missing Re-Interrupts6ec1b3bGH-2459: FallbackBatchErrorHandler Retryable Ex48b2017GH-2451: Fix Class Level Listener Multi Instancesv2.8.10Compare Source
Change log:
e021e32Upgrade Versions; Prepare for Releasebd146f6GH-2432: Remove Unnecessary Variable6a253f2GH-2432: Fix Retryable Topic Provisioning950a2eaGH-2410: Disallow nack() with Out of Order Commits0547dc7Update config example type in doca03f67bFix Race In Test5bd08c0GH-2419: DLPR: Protect Against Non-Compliant PFf6cbf11GH-2387: Fix FallbackBatchErrorHandler Events2e1feb3Don't Use kafka.common.KafkaException in Broker34c48f5GH-2415: Doc for DeserializationEx... with DLPR5df2568Fix previous commit conflicts8cfd1d8GH-2395: RetryListener - Add Batch Methodsv2.8.9Compare Source
Change log:
48334e4Upgrade Reactor Version269fd79Upgrade Versions; Prepare for Release8193cd2Upgrade Apache Kafka to 3.0.2a190ba7Add Missing Pause/Resume Eventse1bb194GH-2382: Fix Unchecked Cast in Teste4eedb7Remove Another Dead Link from Change History6d72816Remove Dead Links from Change Historyf3837a1Fix Duplicate Doc Anchors3de1e89GH-2382: Fix RetryingBatchErrorHandler Cross Talkf001423GH-2375: Add KLER.unregisterListenerContainerb6b4c1aGH-2363: Fix Class Cast in ErrorHandlerAdapterv2.8.8Compare Source
Change log:
16fbddeUpgrade Versions; Prepare for Releasee94985bGH-2350: Fix Paused Partitions After Rebalancef1f200cGH-2344: AggReplyingKT Support Custom Correlationf747329GH-2345: Fix Possible NPE in KafkaAdmindee71aeGH-2340: Fix Retrying Batch Error Handling3f30673GH-2288: Delegating EH - Traverse Causes4b93cdfKafkaAdmin: fix usage of theMap.of()989fb29GH-2332: Fix Container.pause() with Manual Assign.b286250GH-2335: Fix RetryTopic Cause Header Name3eb5d9fFix Doc Copyrightfea092ctransactionIdPrefix Doc Polishingbdb7e84Polish Container setTransactionManager Javadocs46c63e2GH-2321: Support Inbound Header Mapping Matchers558c19fGH-2318: ReplyingKT - Wait for Assignmente49d850Fix Possible Race in KafkaAdmind1b60d2Widen Delegate Type for KafkaBackoffAwareMLAdapterv2.8.7Compare Source
Change log:
c93304aUpgrade Versions; Prepare for Release9675989Update Gradle Enterprise plugin4bce526GH-2306: Improve DeserEx Message For Improper Ex.168b9d2Add Converter Factories to Method Factory273416cGH-2304: Fix SendTo on Interface Etc.1d60edaGH-2297: Add KLERegistry.alwaysStartAfterRefreshe88711fGH-1482: Make Topic Config Update Optionalec2608bGH-1482: Support Admin.incrementalAlterConfigsa1f112cAdd Acknowledgment.nack() variants accepting Durationa9a19a7GH-2295: No Resolvers with ConsumerRecordMetadata23a103eLog Uncommitted After Rebalance1e82ac9GH-2292: Doc - Fix Container Factory Generics5101b17GH-2286: Doc Fixes07e4bc8Precise unit for sleep duration and wake time388b23fGH-2148: Use ObjectProvider to Locate MeterRegistryba309fbGH-2274: Option to Not Configure (De)serializersv2.8.6Compare Source
Change log:
7f5395dUpgrade Versions; Prepare for Release041ce86GH-2269: Improve DLPR Extensibility6e92b7fGH-2252: Keep offset metadata in case of batch reprocessing (#2253)9a36d9bGH-2128: More Doc Polishing1708bf4GH-2249: Batch Listener LISTENER_INFO Headersfc544cdGH-2128: Document Nack Sleep Time Limitations60c8f6cAdd JUnit5 params Module to Buildf90c8e1GH-2240: Bug fix for KafkaTemplate.receive(..)63e56a7Fix Sonar Issue34e1950MakeartifactoryPublish dependsOn buildfe74dbfRevert "Make artifactoryPublish depend on build"v2.8.5Compare Source
Change log:
fa07690Make artifactoryPublish depend on buildf823b3aUpgrade versions; prepared for release2f45a82Fix TopicPartitionOffset Hash Code (NPE)cbca786GH-2220: Fix Test After Back Port0072574GH-2220: Fix TopicPartitionOffset for Retry Topics (#2223)c863597GH-2222: Fix Race in Test3903d1aFix Links to Boot Documentation7103483GH-2222: Re-Pause Paused Partitions After Rebal.4154271GH-2212: Log listener exception in retry topic flow (#2213)e7db6d4GH-2218 add ability to pass AdminClient26de6d2GH-2214: Fix Manual Nack with Zero Sleepdc81e7cGH-2208: Add Paragraph to Doc340ac79Fix test compatibility with the RecordInterceptora67a230GH-2208: Fix Manual Nack with Mutating Interceptorfea221fGH-2197: Fix Container State After Fatal Stop94721d5Upgrade Jackson Version5246daaGH-2170: Support Custom OffsetAndMetadata5650491GH-2059: adminTimeout property on @EmbeddedKafkada0b820GH-2184 KafkaBackOffException logged as ERROR5df194eDLPR - Generate Header Values Lazily93efeb4GH-2182 - Capitalize title in docsv2.8.4Compare Source
Change log:
243e68cGH-2178: Fix CSA.onPartitionsAssigned (Manual)b27a0d6Upgrade versions; prepare for releasea78a3cdGH-2179: Exit RetryingBatchErrorHandler on Stope9310c0Fix typoe0a2711GH-1886: Fix Javadocsea7cc33GH-1886 More RetryTemplate Related Deprecations59f2550Fix KafkaHeaderMapper Javadocsf3f3eacGH-2155: DeadLetterPublishingRecoverer Improvementa1ca194Fix Sonar Issuesf96edc0GH-2162: Fix Record Interceptor Javadocsea50386GH-2154: Fix Tombstones with Delegating Seriali...8ec7ed0GH-2132: Deprecate ListenerUtils.recordToString60fd3e8GH-2148: Fix MeterRegistry Detectionbe4b1bfGH-2128 Do Not Sleep Consumer Thread for Nack220262dFix JavaDocs typo in theKafkaUtilsf6e4a7dGH-2132: Producer Record Log Formatting15bef9dGH-2134: Doc and Javadoc Polishihg9623116Fix Compiler Warnings279b753GH-2134: Add filter to @KafkaListener0ac422eAdd Nullable to API methods9d3d034Docs - Fix ToC1e5915dFix Deprecation Warning in Test6b60316GH-615: Docs - Migrating Legacy Error Handlers1bc6f39Fix Sonar Issues3020619Add getter for StreamsUncaughtExceptionHandler (#2144)b09619bFix Sonar Issues9fdb6c3GH-2139: Clarify ExponentialBackOff maxDelay defaulta7621a1GH-2116: Add blocking retries to RT (#2124)841a6b7GH-2135: Fix NPE in JsonDeserializer796624eExceptionClassifier Reverse Optionv2.8.3Compare Source
Change log:
810a4c8Add what's new and docs for RT's new features427b024GH-2117: Make ListenerContainerFactoryConfigurer ctor public8580d70GH-2118: Make DLPR skip same topic fatal ex optional92ccb55GH-2113: Add ex classification to DDTopicResolvere2750e1Upgrade versions; prepare for releasea110259GH-2069: Same factory for retryable and normal endpoints (#2108)2cb2adfChange Spring repositories to officialfefebd1GH-2109: Increase EKB Zookeeper Timeouts3325e36Doc Polishingc20b0fbNon-Responsive Consumer Doc Polishing1c045a2Fix Event Consumption ToC22737f5GH-2089: Add Deprecations for 3.0 Removal9300f7cGH-2099: Deprecate RetryingBatchErrorHandler36a5297Deprecate Accessors for Legacy Error Handlers5728ed7add nullable annotation to FailedRecordTracker.setBackOffFunction550b718Fix Missing Topics Fatal Javadoc9722b84GH-2076: Fix Async Commit Retries4637d2fJsonSerde Improvement10e73b5GH-2085: DelegatingByTypeSerializer Improvementsb669c12GH-2070: Producer Factory Improvements917134dGH-2082: Fix RecordInterceptordd64db82.8.x kafka-clients 3.1.0 Compatibilityprojectlombok/lombok (org.projectlombok:lombok)
v1.18.42v1.18.40v1.18.38v1.18.36Compare Source
v1.18.34v1.18.32v1.18.30v1.18.28v1.18.26v1.18.24Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.