Bump confluent-kafka to 2.6.1 to address CVE (#19099) (#19116)

* Bump confluent-kafka to 2.6.1 to address CVE

* Add changelog

* Override confluent-kafka license (#19100)

(cherry picked from commit 1435476)

Co-authored-by: Kyle Neale <kyle.neale@datadoghq.com>

.builders/images/linux-aarch64/build_script.sh

@@ -21,7 +21,7 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then
     LDFLAGS="${LDFLAGS} -L/usr/local/lib -lkrb5 -lgssapi_krb5 -llmdb" \
     DOWNLOAD_URL="https://github.com/confluentinc/librdkafka/archive/refs/tags/v{{version}}.tar.gz" \
         VERSION="${kafka_version}" \
-        SHA256="3dc62de731fd516dfb1032861d9a580d4d0b5b0856beb0f185d06df8e6c26259" \
+        SHA256="0ddf205ad8d36af0bc72a2fec20639ea02e1d583e353163bf7f4683d949e901b" \
         RELATIVE_PATH="librdkafka-{{version}}" \
         bash install-from-source.sh --enable-sasl --enable-curl
     always_build+=("confluent-kafka")

.builders/images/linux-x86_64/build_script.sh

@@ -18,7 +18,7 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then
     LDFLAGS="${LDFLAGS} -L/usr/local/lib -lkrb5 -lgssapi_krb5 -llmdb" \
     DOWNLOAD_URL="https://github.com/confluentinc/librdkafka/archive/refs/tags/v{{version}}.tar.gz" \
         VERSION="${kafka_version}" \
-        SHA256="3dc62de731fd516dfb1032861d9a580d4d0b5b0856beb0f185d06df8e6c26259" \
+        SHA256="0ddf205ad8d36af0bc72a2fec20639ea02e1d583e353163bf7f4683d949e901b" \
         RELATIVE_PATH="librdkafka-{{version}}" \
         bash install-from-source.sh --enable-sasl --enable-curl
     always_build+=("confluent-kafka")

.builders/images/macos-x86_64/extra_build.sh

@@ -13,7 +13,7 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then
     LDFLAGS="${LDFLAGS} -L${DD_PREFIX_PATH}/lib -lgssapi_krb5 -llmdb" \
     DOWNLOAD_URL="https://github.com/confluentinc/librdkafka/archive/refs/tags/v{{version}}.tar.gz" \
       VERSION="${kafka_version}" \
-      SHA256="3dc62de731fd516dfb1032861d9a580d4d0b5b0856beb0f185d06df8e6c26259" \
+      SHA256="0ddf205ad8d36af0bc72a2fec20639ea02e1d583e353163bf7f4683d949e901b" \
       RELATIVE_PATH="librdkafka-{{version}}" \
       bash install-from-source.sh --prefix="${DD_PREFIX_PATH}" --enable-sasl --enable-curl
 

.ddev/ci/scripts/kafka_consumer/linux/32_install_kerberos.sh

@@ -8,7 +8,7 @@ sudo apt install -y --no-install-recommends build-essential libkrb5-dev wget sof
 # Install librdkafka from source since no binaries are available for the distribution we use on the CI:
 git clone https://github.com/confluentinc/librdkafka
 cd librdkafka
-git checkout v2.5.0
+git checkout v2.6.1
 sudo ./configure --install-deps --prefix=/usr
 make
 sudo make install

.ddev/config.toml

@@ -70,6 +70,8 @@ exclude = true
 aerospike = ['Apache-2.0']
 # https://github.com/pyca/cryptography/blob/main/LICENSE
 cryptography = ['Apache-2.0', 'BSD-3-Clause', 'PSF']
+# https://github.com/confluentinc/confluent-kafka-python/blob/master/LICENSE
+confluent-kafka = ['Apache-2.0']
 # https://github.com/rthalley/dnspython/blob/master/LICENSE
 dnspython = ['ISC']
 # https://github.com/cannatag/ldap3/blob/dev/COPYING.txt

agent_requirements.in

@@ -9,7 +9,7 @@ cachetools==5.5.0
 clickhouse-cityhash==1.0.2.4
 clickhouse-driver==0.2.9
 cm-client==45.0.4
-confluent-kafka==2.5.0
+confluent-kafka==2.6.1
 cryptography==43.0.1
 ddtrace==2.10.6
 dnspython==2.6.1

kafka_consumer/changelog.d/19099.security

@@ -0,0 +1 @@
+Bump confluent-kafka to 2.6.1

kafka_consumer/hatch.toml

@@ -5,7 +5,7 @@
 # Also bump the LIBRDKAFKA_VERSION version in this file
 post-install-commands = [
   "python -m pip uninstall -y confluent-kafka",
-  "python -m pip install --no-binary confluent-kafka confluent-kafka==2.5.0",
+  "python -m pip install --no-binary confluent-kafka confluent-kafka==2.6.1",
 ]
 
 [envs.default.env-vars]

kafka_consumer/pyproject.toml

@@ -36,7 +36,7 @@ license = "BSD-3-Clause"
 
 [project.optional-dependencies]
 deps = [
-    "confluent-kafka==2.5.0",
+    "confluent-kafka==2.6.1",
 ]
 
 [project.urls]