Aix.foundatio.MessagingEX.kafka 1.163.1. doesn't have latest version of librdkafka.redist (1.8.2) version. zlib library have vulnerability in the older version of librdkafka.redist.

[VetriVijay]

Hi,

zlib library have following vulnerabilities in the older version of librdkafka.redist package.

CVEs:
CVE-2016-9840: undefined behaviour (compiler dependent) in inflate (decompression) code: this is used by the librdkafka consumer. Risk of successfully exploiting through consumed messages very low.
CVE-2016-9841: undefined behaviour (compiler dependent) in inflate code: this is used by the librdkafka consumer. Risk of successfully exploiting through consumed messages seems very low.
CVE-2016-9842: undefined behaviour in inflateMark(): this API is not used by librdkafka
CVE-2016-9843: issue in crc32_big() which is called from crc32_z(): this API is not used by librdkafka.

We are using Aix.Foundatio.MessagingEx.kafka 1.163.1 latest version but it doesn't have latest version of librdkafka.redist (1.8.2) version.

Currently Aix.foundatio.MessagingEX.kafka 1.163.1 has librdkafka.redist older version 1.6.1 version.

Please update the latest version of this librdkafka.redist (1.8.2 version) to resolve these vulnerabilities.

So can you please update the latest version of this librdkafka.redist(1.8.2 version) in the latest version of Aix.foundatio.MessagingEX.kafka 1.163.1 package.

[ManaseePatra]

Hi linzhiqiang,

Any update regarding the above concern?

Appreciate your earliest respone.

[linzhiqiang]

Sorry,I've been a little busy lately.
I've updated it. Please try.

[ManaseePatra]

Thank you so much linzhiqiang. Yes, looks good now and confluent.kafka upgraded with latest one.
Is it possible to upgrade the foundatio version from 10.0.2 to 10.2.5 in latest of Aix.foundatio.MessagingEX.kafka nuget as we have a vulnerability library System.Text.Encoding.Web, version-5.0.0 which is a child dependency of foundatio. we need the System.Text.Encoding.Web version 5.0.1

please do the needful. Thank you in advance.

[linzhiqiang]

It's OK, Please try.

[ManaseePatra]

It's OK, Please try.

Thank you.

[ManaseePatra]

Hi linzhiqiang,
we are getting the "unknown topic/partition" exception after upgrading confluent.kafka from 1.4.4 to the latest version 1.8.2.

If you remember correctly earlier we faced while upgraded to 1.6.3, that time we downgraded to 1.4.4. But looks like still that issue is existing in the higher version. we need messagepack the latest version with confluent.kafka

Please suggest any solution or else can you please do the same like we need messagepack the latest version with confluent.kafka version 1.4.4.

As per my understanding the topics should while application start. correct me if I am wrong here. Appreciate your early response. in the higher version it's not happening rather we are getting the above issue. Please do the needful.