Insecure version of zlib.dll used (1.2.8.0)

[rkoelbel]

Description

Unfortunately we cannot use librdkafka anymore because it uses an insecure version of zlib.dll. For details see https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/GNU-Zlib.html

How to reproduce

Check version of zlib.dll (1.2.8.0)

Checklist

Please provide the following information:

• librdkafka version (release number or git tag): 1.4.2
• Apache Kafka version: 2.5.0
• Operating system: Windows 10 (x64)
• Critical issue

[faiz-usmani]

@edenhill this issue will certainly turn up as a matter of concern for most production set-ups using librdkafka.
The issue is actually wider on the producer end, where the chances of a Windows machine is much higher, compared to a server side Consumer build.
On that note, is this something that is surely being fixed for version 1.8.0, and if so what is the tentative date for version 1.8.0's release?

[edenhill]

Yes this will be fixed in v1.8.0 which is scheduled for August.

CVEs:

• CVE-2016-9840: undefined behaviour (compiler dependent) in inflate (decompression) code: this is used by the librdkafka consumer. Risk of successfully exploiting through consumed messages very low.
• CVE-2016-9841: undefined behaviour (compiler dependent) in inflate code: this is used by the librdkafka consumer. Risk of successfully exploiting through consumed messages seems very low.
• CVE-2016-9842: undefined behaviour in inflateMark(): this API is not used by librdkafka
• CVE-2016-9843: issue in crc32_big() which is called from crc32_z(): this API is not used by librdkafka.