Uploaded image for project: 'Debezium'
  1. Debezium
  2. DBZ-9140

Upgrade Kafka to 3.9.1

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • 3.1.4.Final
    • 3.0.9.Final, 3.1.2.Final
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Critical

      In order to make your issue reports as actionable as possible, please provide the following information, depending on the issue type.

      Bug report

      For bug reports, provide this information, please:

      What Debezium connector do you use and what version?

      MySQL & MongoDB Connector

      Version: debezium/connect:3.0.5.FINAL \ 3.1.2.FINAL

      What is the connector configuration?

      // code placeholder
{    "name": "debezium-mysql",    "config": {        "connector.class": "io.debezium.connector.mysql.MySqlConnector",        "database.hostname": "xxx",        "database.port": "3306",        "database.user": "root",        "database.password": "xxx",        "database.server.id": "184090",        "topic.prefix": "debezium_spider",        "database.include.list": "spider",        "table.include.list": "resource_meta",        "schema.history.internal.kafka.bootstrap.servers": "kafka:9092",        "schema.history.internal.kafka.topic": "spider-schema-changes-topic",        "database.allowPublicKeyRetrieval": "true",        "message.key.columns": "resource_meta:resource_id",        "batch.size": 2048,        "max.queue.size": 8192,        "include.schema.changes": false,        "schema.history.internal.skip.unparseable.ddl": true,        "schema.history.internal.store.only.captured.tables.ddl": true,        "schema.history.internal.store.only.captured.databases.ddl": true    }}

      What is the captured database version and mode of deployment?

      (E.g. on-premises, with a specific cloud provider, etc.)

      <Your answer>

      What behavior do you expect?

      We noticed that the current Debezium images (e.g., debezium/connect) still include Apache Kafka 3.9.0, which is affected by several recently disclosed security vulnerabilities:

      • CVE-2025-27817
      • CVE-2025-27818
      • CVE-2025-27819

      These vulnerabilities impact the Kafka client libraries bundled in Debezium and may pose security risks in production environments. We would like to request an upgrade of the embedded Kafka components (especially kafka-clients) to a patched version, preferably Kafka 3.9.1 or the latest available secure version.

      What behavior do you see?

      <Your answer>

      Do you see the same behaviour using the latest released Debezium version?

      (Ideally, also verify with latest Alpha/Beta/CR version)

      <Your answer>

      Do you have the connector logs, ideally from start till finish?

      (You might be asked later to provide DEBUG/TRACE level log)

      <Your answer>

      How to reproduce the issue using our tutorial deployment?

      <Your answer>

      Feature request or enhancement

      For feature requests or enhancements, provide this information, please:

      Which use case/requirement will be addressed by the proposed feature?

      <Your answer>

      Implementation ideas (optional)

      <Your answer>

              Unassigned Unassigned
              lizhi_1214 Zhi Li (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: