Quarkus upstream upgraded Kafka to version 3.7.2 due to fix for CVE-2024-56128 [1], but from product side the latest supported version of Kafka is 3.7.1.
Talked to cescoffi@redhat.com about the situation, we agreed to downgrade to the product supported 3.7.1 as there are no intentions for them to build 3.7.2. The CVE has also not been backported to the product 3.7.1.
- causes
-
QUARKUS-5871 Kafka was downgraded between upstream and RHBQ versions of 3.15.4
-
- Closed
-
- clones
-
QUARKUS-5849 Downgrade Kafka to version 3.7.1
-
- Closed
-
- is cloned by
-
-
- Closed
-
- relates to
-
QUARKUS-5827 [3.15] Update Kafka client version to 3.7.2 to cover CVE-2024-56128
-
- Closed
-
- links to
-
RHBA-2025:150268
Red Hat build of Quarkus 3.15.5 release
-
RHSA-2025:3376
Red Hat build of Quarkus 3.15.4 release and security update