Vulnerability fix for the kafka image

[Veljen]

hi,

we have found the below CVE for the kafka image. can we fix this by updating the docker file? please guide me how to fix this ?

[scholzj]

Strimzi builds on top of various other open-source projects and where possible, tries to update them every release. We do not rebuild all the dependencies from the source. If these vulnerabilities were updated in the source projects, they will likely be addressed in the next Strimzi release (which we expect shortly after Apache Kafka 3.7.0 is released). In the meantime, if you want, you can check the individual projects if they addressed these vulnerabilities and if not, contribute to fixes there. And if they did and the latest Strimzi builds from the main branch do not contain them yet, feel free to open a PR to update them.

[scholzj]

The exact path where the vulnerability is found should normally tell you where it comes from. E.g. if it is in the Cruise Control folder, it is likely coming with Cruise Control etc.

[Veljen]

@scholzj

https://github.com/apache/kafka/releases/tag/3.7.0 apache kafka released this version. when strimzi will support this kafka version ?

[scholzj]

It is not yet released, it is not yet announced. The artifacts are just being staged for the release.

[Veljen]

@scholzj

our security team is asking so much details. who is the code signer for this repo? I seen the maintainer page and its all from redhat and had personal email ID.. can you please help with this details? redhat is officially code signer of this repo ?

[scholzj]

Strimzi is an open-source community. It is part of the Cloud Native Computing Foundation. Some people work on it for free in their spare time, others are paid by some companies and some mix both things together. But Strimzi does not belong to any particular company. Its maintainers can use whatever email they prefer.