Quarkus upstream upgraded Kafka to version 3.7.2 due to fix for CVE-2024-56128 [1], but from product side the latest supported version of Kafka is 3.7.1.
Talked to cescoffi@redhat.com about the situation, we agreed to downgrade to the product supported 3.7.1 as there are no intentions for them to build 3.7.2. The CVE has also not been backported to the product 3.7.1.
- causes
-
QUARKUS-5871 Kafka was downgraded between upstream and RHBQ versions of 3.15.4
-
- Closed
-
- is cloned by
-
QUARKUS-6059 Downgrade Kafka to version 3.7.1
-
- Closed
-
- relates to
-
QUARKUS-5827 [3.15] Update Kafka client version to 3.7.2 to cover CVE-2024-56128
-
- Closed
-
- links to
-
RHSA-2025:3376
Red Hat build of Quarkus 3.15.4 release and security update