Skip to content

confluent-kafka/8.3.0.91 package update #76554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
octo-sts wants to merge 1 commit into
base: main
Choose a base branch
from
+2 −2

confluent-kafka/8.3.0.91 package update

d7a736a
Select commit
Loading
Failed to load commit list.
Open

confluent-kafka/8.3.0.91 package update #76554

confluent-kafka/8.3.0.91 package update
d7a736a
Select commit
Loading
Failed to load commit list.
Octo STS / staging-autofix completed Dec 24, 2025 in 0s

Pull request does not have the "staging-autofix" label

ci-cve-scan

The build failed due to a CVE scan detecting a critical vulnerability (CVE-2025-68161) in log4j-core 2.25.1. The scan was configured in 'fail-any' mode, leading to the immediate failure.

❌ Other error @ /usr/lib/kafka/libs/log4j-core-2.25.1.jar
Command:
CVE Scan
Diagnostic:
CVEs Found (fail-any mode) - log4j-core 2.25.1 has Medium CVE-2025-68161 (GHSA-vc5p-v9hr-52mj) fixed in 2.25.3
Log Snippets:
Indicates the CVE scan failed because it found vulnerabilities and was configured to fail on any CVE. 
### ⚠️ CVEs Found (fail-any mode)

This check is running in fail-any mode and will fail because CVEs were found.


Details the specific CVE found in log4j-core 2.25.1 for aarch64, including its severity, ID, and the version where it's fixed. 
#### aarch64/confluent-kafka-8.3.0.91-r0.apk

└── 📄 /usr/lib/kafka/libs/log4j-core-2.25.1.jar
        📦 log4j-core 2.25.1 (java-archive)
            Medium CVE-2025-68161 GHSA-vc5p-v9hr-52mj fixed in 2.25.3

```</pre>
</details>
<br>
<details>
<summary><i>Details the specific CVE found in log4j-core 2.25.1 for x86_64, confirming the same vulnerability across architectures.</i></summary>
<pre style="overflow-x: auto; white-space: nowrap;">#### x86_64/confluent-kafka-8.3.0.91-r0.apk





└── 📄 /usr/lib/kafka/libs/log4j-core-2.25.1.jar

📦 log4j-core 2.25.1 (java-archive)

Medium CVE-2025-68161 GHSA-vc5p-v9hr-52mj fixed in 2.25.3


</details>
<br>
</td></tr>
</table>

<!--staging-autofix-status-->
<!--
{
  "observedGeneration": "d7a736a1bc12ecb02c1367bbbb391b9f73462d99",
  "status": "completed",
  "conclusion": "neutral",
  "details": {
    "checkRunAnalyses": {
      "58883542401": {
        "name": "ci-cve-scan",
        "details_url": "https://octo-sts.dev",
        "analysis": {
          "summary": "The build failed due to a CVE scan detecting a critical vulnerability (CVE-2025-68161) in log4j-core 2.25.1. The scan was configured in 'fail-any' mode, leading to the immediate failure.",
          "failures": [
            {
              "type": "other",
              "error_message": "CVEs Found (fail-any mode) - log4j-core 2.25.1 has Medium CVE-2025-68161 (GHSA-vc5p-v9hr-52mj) fixed in 2.25.3",
              "location": {
                "file_path": "/usr/lib/kafka/libs/log4j-core-2.25.1.jar"
              },
              "context": [
                {
                  "content": "### ⚠️ CVEs Found (fail-any mode)\n\n\nThis check is running in fail-any mode and will fail because CVEs were found.",
                  "why_relevant": "Indicates the CVE scan failed because it found vulnerabilities and was configured to fail on any CVE."
                },
                {
                  "content": "#### aarch64/confluent-kafka-8.3.0.91-r0.apk\n\n\n```\n└── 📄 /usr/lib/kafka/libs/log4j-core-2.25.1.jar\n        📦 log4j-core 2.25.1 (java-archive)\n            Medium CVE-2025-68161 GHSA-vc5p-v9hr-52mj fixed in 2.25.3\n\n```",
                  "why_relevant": "Details the specific CVE found in log4j-core 2.25.1 for aarch64, including its severity, ID, and the version where it's fixed."
                },
                {
                  "content": "#### x86_64/confluent-kafka-8.3.0.91-r0.apk\n\n\n```\n└── 📄 /usr/lib/kafka/libs/log4j-core-2.25.1.jar\n        📦 log4j-core 2.25.1 (java-archive)\n            Medium CVE-2025-68161 GHSA-vc5p-v9hr-52mj fixed in 2.25.3\n\n```",
                  "why_relevant": "Details the specific CVE found in log4j-core 2.25.1 for x86_64, confirming the same vulnerability across architectures."
                }
              ],
              "failing_command": "CVE Scan",
              "severity": "error"
            }
          ]
        }
      }
    }
  }
}
-->
<!--/staging-autofix-status-->
View more details on Octo STS