Skip to content

HIVE-29238:upgrade kafka version to fix CVE-2024-31141 and CVE-2021-3… #6110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

HIVE-29238:upgrade kafka version to fix CVE-2024-31141 and CVE-2021-3… #6110

wants to merge 2 commits into from
+70 −92

Conversation

@ramitg254
Copy link
Contributor

@ramitg254 ramitg254 commented Oct 2, 2025

…8153

What changes were proposed in this pull request?

Why are the changes needed?

Does this PR introduce any user-facing change?

How was this patch tested?

zabetak
zabetak reviewed Oct 2, 2025
View reviewed changes
pom.xml
<junit.jupiter.version>5.13.3</junit.jupiter.version>
<junit.vintage.version>5.13.3</junit.vintage.version>
<kafka.version>2.5.0</kafka.version>
<kafka.version>3.9.1</kafka.version>
Copy link
Member

@zabetak zabetak Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I recall well there were issues with previous upgrade attempts. Please check the (git) history and related PRs for more information to ensure that code remains functional.

Copy link
Contributor Author

@ramitg254 ramitg254 Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes I am aware of that, its wip right now, I am planning to address those issues if I get a grren label in current state

@ramitg254 ramitg254 changed the title [WIP]HIVE-29238:upgrade kafka version to fix CVE-2024-31141 and CVE-2021-3… HIVE-29238:upgrade kafka version to fix CVE-2024-31141 and CVE-2021-3… Oct 21, 2025
@ramitg254 ramitg254 changed the title [WIP]HIVE-29238:upgrade kafka version to fix CVE-2024-31141 and CVE-2021-3… HIVE-29238:upgrade kafka version to fix CVE-2024-31141 and CVE-2021-3… Oct 24, 2025
@ramitg254
Copy link
Contributor Author

ramitg254 commented Oct 24, 2025
edited
Loading

earlier kafka upgrade was made for the sake of compatibility needed as mentioned in #4082 and this was reverted because some test cases were disabled to check upgrade properly and this was not an issue anymore due to refractor as mentioned in this revert ticket https://issues.apache.org/jira/browse/HIVE-27475 and after that a flaky test related to it was enabled int this ticket https://issues.apache.org/jira/browse/HIVE-27502 and it is also passing regularly locally after the upgrade.
@zabetak @kokila-19 can you please review this.

@ramitg254
Copy link
Contributor Author

ramitg254 commented Oct 27, 2025

most changes proposed are in accordance to following changes in kafka dependency:
https://github.com/apache/kafka/pull/11362/files

https://github.com/apache/kafka/pull/9883/files#diff-a989eda6b96fe07339c2a8584ae96f22fd834110983e7118f72c9307c4c69780

https://github.com/apache/kafka/pull/13231/files#diff-d36f66ed751cbdd3eb37ce4773bb55d59d335f32fbee3595e809151ae3d35124:~:text=Map%3CTopicPartition%2C%20Errors%3E%20errors%20%3D%20addPartitionsToTxnResponse.errors().get(AddPartitionsToTxnResponse.V3_AND_BELOW_TXN_ID)%3B

https://github.com/apache/kafka/pull/12590/files
and some refractoring which took place in between the version gaps

zabetak
zabetak reviewed Nov 7, 2025
View reviewed changes
Copy link
Member

@zabetak zabetak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before merging this PR we should ensure that kafka_storage_handler.q runs fine so addressing https://issues.apache.org/jira/browse/HIVE-23985 seems like a prerequisite for merging this PR. I will start a flaky check for kafka_storage_handler.q in master and if it passes I will reenable the test.

In the meantime, you can run the test locally and check if it passes with the changes in this PR.

@ramitg254
Copy link
Contributor Author

ramitg254 commented Nov 7, 2025

Before merging this PR we should ensure that kafka_storage_handler.q runs fine so addressing https://issues.apache.org/jira/browse/HIVE-23985 seems like a prerequisite for merging this PR. I will start a flaky check for kafka_storage_handler.q in master and if it passes I will reenable the test.

In the meantime, you can run the test locally and check if it passes with the changes in this PR.

with the current changes I am seeing errors while running this test so trying to solve those errors in the meantime

@zabetak
Copy link
Member

zabetak commented Nov 7, 2025

@ramitg254 Please take a look at the PR for https://issues.apache.org/jira/browse/HIVE-27407. In the past I fixes some of these errors there.

@ramitg254
Copy link
Contributor Author

ramitg254 commented Nov 8, 2025

@zabetak Thanks for the info, some props changes were left , I have added those changes and enabled the kafka_storage_handler.q and results are getting generated so its fine now.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 8, 2025

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zabetak zabetak zabetak left review comments

Assignees

No one assigned

Labels

tests pending

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ramitg254 @zabetak @asf-ci-hive