Skip to content

KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 #19939

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 11, 2025
Merged

KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 #19939

merged 2 commits into from
Jun 11, 2025

Conversation

showuon
Copy link
Member

@showuon showuon commented Jun 10, 2025
edited by github-actions bot
Loading

Bump the commons-beanutils for CVE-2025-48734. Since commons-validator
hasn't had new release with newer commons-beanutils versions, we
manually bump it in kafka.

Reviewers: Mickael Maison mickael.maison@gmail.com

@github-actions github-actions bot added dependencies Pull requests that update a dependency file build Gradle build or GitHub Actions small Small PRs core Kafka Broker labels Jun 10, 2025
@showuon showuon marked this pull request as ready for review June 10, 2025 05:53
@showuon showuon force-pushed the bumpCommonsBeanutils branch from 33aa3e8 to ef11ade Compare June 10, 2025 06:28
@showuon showuon force-pushed the bumpCommonsBeanutils branch from 86236c7 to 5ed6a58 Compare June 10, 2025 09:52
mimaison
mimaison approved these changes Jun 11, 2025
View reviewed changes
Copy link
Member

@mimaison mimaison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Built a release locally and checked we now ship commons-beanutils-1.11.0. LGTM

@showuon showuon merged commit ff58e90 into apache:trunk Jun 11, 2025
24 checks passed
@showuon showuon mentioned this pull request Jun 11, 2025
Merged
showuon added a commit that referenced this pull request Jun 11, 2025
@showuon
KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (#19939)
ddc3047 
Bump the commons-beanutils for CVE-2025-48734. Since `commons-validator`
hasn't had new release with newer `commons-beanutils` versions, we manually bump it in kafka.

Reviewers: Mickael Maison <mickael.maison@gmail.com>
showuon added a commit that referenced this pull request Jun 12, 2025
@showuon
MINOR: Bump commons beanutils39 (#19949)
a759822 
trunk PR: #19939

Bump the commons-beanutils for
GHSA-wxr5-93ph-8wr9. Since commons-validator hasn't had new release with newer commons-beanutils versions, we manually bump it in kafka.

Reviewers: Chia-Ping Tsai <chia7712@gmail.com>
@jmini
Copy link

jmini commented Jun 12, 2025

Since commons-validator hasn't had new release with newer commons-beanutils version

This is tracked here:
https://issues.apache.org/jira/browse/VALIDATOR-500

airlock-confluentinc bot pushed a commit to confluentinc/kafka that referenced this pull request Jul 11, 2025
@showuon @silvanli-confluent
KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (apache#…
c7d18c9 
…19939)

Bump the commons-beanutils for CVE-2025-48734. Since `commons-validator`
hasn't had new release with newer `commons-beanutils` versions, we manually bump it in kafka.

Reviewers: Mickael Maison <mickael.maison@gmail.com>
airlock-confluentinc bot pushed a commit to confluentinc/kafka that referenced this pull request Jul 11, 2025
@showuon @silvanli-confluent
KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (apache#…
1b2d69a 
…19939)

Bump the commons-beanutils for CVE-2025-48734. Since `commons-validator`
hasn't had new release with newer `commons-beanutils` versions, we manually bump it in kafka.

Reviewers: Mickael Maison <mickael.maison@gmail.com>
airlock-confluentinc bot pushed a commit to confluentinc/kafka that referenced this pull request Jul 12, 2025
@showuon @silvanli-confluent
KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (apache#…
dab2d97 
…19939)

Bump the commons-beanutils for CVE-2025-48734. Since `commons-validator`
hasn't had new release with newer `commons-beanutils` versions, we manually bump it in kafka.

Reviewers: Mickael Maison <mickael.maison@gmail.com>
airlock-confluentinc bot pushed a commit to confluentinc/kafka that referenced this pull request Jul 12, 2025
@showuon @silvanli-confluent
KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (apache#…
6b3ee46 
…19939)

Bump the commons-beanutils for CVE-2025-48734. Since `commons-validator`
hasn't had new release with newer `commons-beanutils` versions, we manually bump it in kafka.

Reviewers: Mickael Maison <mickael.maison@gmail.com>
silvanli-confluent added a commit to confluentinc/kafka that referenced this pull request Jul 14, 2025
@silvanli-confluent
Merge pull request #1696 from confluentinc/KSECURITY-2537-3-6
ffa5c31 
3.6 force bump commons-beanutils for CVE-2025-48734 (apache#19939)
silvanli-confluent added a commit to confluentinc/kafka that referenced this pull request Jul 14, 2025
@silvanli-confluent
Merge pull request #1697 from confluentinc/KSECURITY-2537-3-7
ec7815c 
KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (apache#19939)
silvanli-confluent added a commit to confluentinc/kafka that referenced this pull request Jul 14, 2025
@silvanli-confluent
Merge pull request #1698 from confluentinc/KSECURITY-2537-3-8
61e15ea 
KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (apache#19939)
silvanli-confluent added a commit to confluentinc/kafka that referenced this pull request Jul 14, 2025
@silvanli-confluent
Merge pull request #1699 from confluentinc/KSECURITY-2537-7-7-0-cp12
6ec9ffd 
KAFKA-19359: force bump commons-beanutils for CVE-2025-48734 (apache#19939)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mimaison mimaison

@fvaleri fvaleri

Assignees
No one assigned
Labels
build Gradle build or GitHub Actions core Kafka Broker dependencies Pull requests that update a dependency file small Small PRs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@showuon @jmini @mimaison @fvaleri