Critical Vulnerabilities identified in librdkafka

[glansbury]

Description

Two CVE's with cvss score of 9.8 identified in this library, please help update.

curl 7.86.0
GHSA-75qm-2q4j-qx6g
https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.libcurl#L48

zlib 1.2.13
GHSA-mq29-j5xf-cjwr
https://github.com/confluentinc/librdkafka/blob/master/mklove/modules/configure.zlib#L45

How to reproduce

Review source code and links provided. Use any SBOM vulnerability scanner to validate that the libraries are being linked into build.

Initially I discovered this in confluent-kafka-go, however, I believe the vulnerability is coming from the C base library librdkafka

Checklist

• librdkafka version: v2.3.0
• librdkafka client configuration: N/A
• Operating system: linux (any base distro)
• Provide logs - N/A. links to source code and CVSS all that is required
• Provide broker log excerpts : N/A
• Critical issue: 9.8 CVSS vulnerabilities.

[mikajylha]

Related issue #4653

[mikajylha]

Another related issue in dotnet lib

[janjwerner-confluent]

Thank you for the report. We are in the process of resolving this issue.