From 5ff0da2c7b37468820cdf883e0cf96592c1d1503 Mon Sep 17 00:00:00 2001
From: dongjiao <dongjiao@kylinos.cn>
Date: Tue, 21 Oct 2025 16:55:30 +0800
Subject: [PATCH] =?UTF-8?q?=E5=8D=87=E7=BA=A7jetty=E5=88=B09.4.51.v2023021?=
 =?UTF-8?q?7=EF=BC=8C=E4=BF=AE=E5=A4=8DCVE-2023-26048=E5=92=8CCVE-2023-260?=
 =?UTF-8?q?49?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 0018-CVE-2023-26048-and-CVE-2023-26049.patch | 12 ++++++++++++
 kafka.spec                                   |  5 ++++-
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 0018-CVE-2023-26048-and-CVE-2023-26049.patch

diff --git a/0018-CVE-2023-26048-and-CVE-2023-26049.patch b/0018-CVE-2023-26048-and-CVE-2023-26049.patch
new file mode 100644
index 0000000..b969785
--- /dev/null
+++ b/0018-CVE-2023-26048-and-CVE-2023-26049.patch
@@ -0,0 +1,12 @@
+diff -uNr kafka-2.8.2-src/gradle/dependencies.gradle kafka-2.8.2-src-new/gradle/dependencies.gradle
+--- kafka-2.8.2-src/gradle/dependencies.gradle	2025-10-21 17:13:00.201918257 +0800
++++ kafka-2.8.2-src-new/gradle/dependencies.gradle	2025-10-21 17:13:59.861410855 +0800
+@@ -70,7 +70,7 @@
+   jacksonDatabind: "2.13.4.2",
+   jacoco: "0.8.5",
+   javassist: "3.27.0-GA",
+-  jetty: "9.4.48.v20220622",
++  jetty: "9.4.51.v20230217",
+   jersey: "2.34",
+   jline: "3.12.1",
+   jmh: "1.27",
diff --git a/kafka.spec b/kafka.spec
index 1bf6c73..7a8831a 100644
--- a/kafka.spec
+++ b/kafka.spec
@@ -4,7 +4,7 @@
 
 Name: kafka
 Version: 2.8.2
-Release: 17
+Release: 18
 Summary: A Distributed Streaming Platform.
 
 License: Apache-2.0
@@ -29,6 +29,7 @@ Patch13: 0014-override-toString.patch
 Patch14: 0015-SessionWindows-closed-early.patch
 Patch15: 0016-non-existent-URL.patch
 Patch16: 0017-fix-log-clean.patch
+Patch17: 0018-CVE-2023-26048-and-CVE-2023-26049.patch
 
 BuildRequires: systemd java-1.8.0-openjdk-devel
 Provides: kafka = %{version}
@@ -80,6 +81,8 @@ cp -pr licenses/*   $RPM_BUILD_ROOT%{kafka_home}/licenses
 rm -rf %{buildroot}
 
 %changelog
+* Tue Oct 21 2025 dongjiao <dongjiao@kylinos.cn> - 2.8.2-18
+- Fix CVE-2023-26048 and CVE-2023-26049.
 * Fri Dec 08 2023 sundapeng <sundapeng_yewu@cmss.chinamobile.com> - 2.8.2-17
 - log clean relative index range check of group consider empty log segment to avoid too many empty log segment left
 * Fri Dec 08 2023 sundapeng <sundapeng_yewu@cmss.chinamobile.com> - 2.8.2-16
-- 
Gitee