From 1435476f50dbc629ff029b54941ef44e4424cccb Mon Sep 17 00:00:00 2001 From: Kyle Neale Date: Thu, 21 Nov 2024 08:07:03 -0500 Subject: [PATCH] Bump confluent-kafka to 2.6.1 to address CVE (#19099) * Bump confluent-kafka to 2.6.1 to address CVE * Add changelog * Override confluent-kafka license (#19100) --- .builders/images/linux-aarch64/build_script.sh | 2 +- .builders/images/linux-x86_64/build_script.sh | 2 +- .builders/images/macos-x86_64/extra_build.sh | 2 +- .ddev/ci/scripts/kafka_consumer/linux/32_install_kerberos.sh | 2 +- .ddev/config.toml | 2 ++ agent_requirements.in | 2 +- kafka_consumer/changelog.d/19099.security | 1 + kafka_consumer/hatch.toml | 2 +- kafka_consumer/pyproject.toml | 2 +- 9 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 kafka_consumer/changelog.d/19099.security diff --git a/.builders/images/linux-aarch64/build_script.sh b/.builders/images/linux-aarch64/build_script.sh index cb58dceeaa005..537fd958807d6 100644 --- a/.builders/images/linux-aarch64/build_script.sh +++ b/.builders/images/linux-aarch64/build_script.sh @@ -21,7 +21,7 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then LDFLAGS="${LDFLAGS} -L/usr/local/lib -lkrb5 -lgssapi_krb5 -llmdb" \ DOWNLOAD_URL="https://github.com/confluentinc/librdkafka/archive/refs/tags/v{{version}}.tar.gz" \ VERSION="${kafka_version}" \ - SHA256="3dc62de731fd516dfb1032861d9a580d4d0b5b0856beb0f185d06df8e6c26259" \ + SHA256="0ddf205ad8d36af0bc72a2fec20639ea02e1d583e353163bf7f4683d949e901b" \ RELATIVE_PATH="librdkafka-{{version}}" \ bash install-from-source.sh --enable-sasl --enable-curl always_build+=("confluent-kafka") diff --git a/.builders/images/linux-x86_64/build_script.sh b/.builders/images/linux-x86_64/build_script.sh index c78bae6127d1f..be6a4e0ce2aa7 100644 --- a/.builders/images/linux-x86_64/build_script.sh +++ b/.builders/images/linux-x86_64/build_script.sh @@ -18,7 +18,7 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then LDFLAGS="${LDFLAGS} -L/usr/local/lib -lkrb5 -lgssapi_krb5 -llmdb" \ DOWNLOAD_URL="https://github.com/confluentinc/librdkafka/archive/refs/tags/v{{version}}.tar.gz" \ VERSION="${kafka_version}" \ - SHA256="3dc62de731fd516dfb1032861d9a580d4d0b5b0856beb0f185d06df8e6c26259" \ + SHA256="0ddf205ad8d36af0bc72a2fec20639ea02e1d583e353163bf7f4683d949e901b" \ RELATIVE_PATH="librdkafka-{{version}}" \ bash install-from-source.sh --enable-sasl --enable-curl always_build+=("confluent-kafka") diff --git a/.builders/images/macos-x86_64/extra_build.sh b/.builders/images/macos-x86_64/extra_build.sh index f5e49d609e6fb..f1cde38e881d4 100644 --- a/.builders/images/macos-x86_64/extra_build.sh +++ b/.builders/images/macos-x86_64/extra_build.sh @@ -13,7 +13,7 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then LDFLAGS="${LDFLAGS} -L${DD_PREFIX_PATH}/lib -lgssapi_krb5 -llmdb" \ DOWNLOAD_URL="https://github.com/confluentinc/librdkafka/archive/refs/tags/v{{version}}.tar.gz" \ VERSION="${kafka_version}" \ - SHA256="3dc62de731fd516dfb1032861d9a580d4d0b5b0856beb0f185d06df8e6c26259" \ + SHA256="0ddf205ad8d36af0bc72a2fec20639ea02e1d583e353163bf7f4683d949e901b" \ RELATIVE_PATH="librdkafka-{{version}}" \ bash install-from-source.sh --prefix="${DD_PREFIX_PATH}" --enable-sasl --enable-curl diff --git a/.ddev/ci/scripts/kafka_consumer/linux/32_install_kerberos.sh b/.ddev/ci/scripts/kafka_consumer/linux/32_install_kerberos.sh index 0b5b24ba2ce76..9d87b8beb48f8 100755 --- a/.ddev/ci/scripts/kafka_consumer/linux/32_install_kerberos.sh +++ b/.ddev/ci/scripts/kafka_consumer/linux/32_install_kerberos.sh @@ -8,7 +8,7 @@ sudo apt install -y --no-install-recommends build-essential libkrb5-dev wget sof # Install librdkafka from source since no binaries are available for the distribution we use on the CI: git clone https://github.com/confluentinc/librdkafka cd librdkafka -git checkout v2.5.0 +git checkout v2.6.1 sudo ./configure --install-deps --prefix=/usr make sudo make install diff --git a/.ddev/config.toml b/.ddev/config.toml index 4a4d131e5ea52..96bea55354138 100644 --- a/.ddev/config.toml +++ b/.ddev/config.toml @@ -70,6 +70,8 @@ exclude = true aerospike = ['Apache-2.0'] # https://github.com/pyca/cryptography/blob/main/LICENSE cryptography = ['Apache-2.0', 'BSD-3-Clause', 'PSF'] +# https://github.com/confluentinc/confluent-kafka-python/blob/master/LICENSE +confluent-kafka = ['Apache-2.0'] # https://github.com/rthalley/dnspython/blob/master/LICENSE dnspython = ['ISC'] # https://github.com/cannatag/ldap3/blob/dev/COPYING.txt diff --git a/agent_requirements.in b/agent_requirements.in index 41b87b9825289..17b6d28051615 100644 --- a/agent_requirements.in +++ b/agent_requirements.in @@ -9,7 +9,7 @@ cachetools==5.5.0 clickhouse-cityhash==1.0.2.4 clickhouse-driver==0.2.9 cm-client==45.0.4 -confluent-kafka==2.5.0 +confluent-kafka==2.6.1 cryptography==43.0.1 ddtrace==2.10.6 dnspython==2.6.1 diff --git a/kafka_consumer/changelog.d/19099.security b/kafka_consumer/changelog.d/19099.security new file mode 100644 index 0000000000000..48e5443d8c3a5 --- /dev/null +++ b/kafka_consumer/changelog.d/19099.security @@ -0,0 +1 @@ +Bump confluent-kafka to 2.6.1 \ No newline at end of file diff --git a/kafka_consumer/hatch.toml b/kafka_consumer/hatch.toml index 2c54fc0f8f402..8947bec36709a 100644 --- a/kafka_consumer/hatch.toml +++ b/kafka_consumer/hatch.toml @@ -5,7 +5,7 @@ # Also bump the LIBRDKAFKA_VERSION version in this file post-install-commands = [ "python -m pip uninstall -y confluent-kafka", - "python -m pip install --no-binary confluent-kafka confluent-kafka==2.5.0", + "python -m pip install --no-binary confluent-kafka confluent-kafka==2.6.1", ] [envs.default.env-vars] diff --git a/kafka_consumer/pyproject.toml b/kafka_consumer/pyproject.toml index f6f15c1917fef..7c44ca3a70897 100644 --- a/kafka_consumer/pyproject.toml +++ b/kafka_consumer/pyproject.toml @@ -36,7 +36,7 @@ license = "BSD-3-Clause" [project.optional-dependencies] deps = [ - "confluent-kafka==2.5.0", + "confluent-kafka==2.6.1", ] [project.urls]