Akka 2.6.21 release for CVE-2023-31442?

Will the fix for Akka Async DNS resolver has insufficient entropy to protect against DNS poisoning | Akka be backported to Akka 2.6 line and a v2.6.21 release done?

Based on Jonas Boner’s comment on 2.6.x maintenance proposal, there is an argument that a v2.6.21 release should be considered.

Also, there are 2 other recent issues in Akka HTTP and Alpakka Kafka that have been listed on Security Announcements | Akka

Any clarification on if these issues will be fixed in Apache licensed releases would be appreciated.

I believe this was answered in this recent thread: Akka Async DNS resolver vulnerability fix for Akka 2.6.x - #2 by jtownley

In short, none of these are rated as critical, so no backport. (I don’t work for Lightbend, so I can’t speak for them, but that was what was said for CVE-2023-31442 in the other thread and these other two don’t look different.)

Thanks David. I hadn’t spotted that other forum topic.

Many orgs treat CVEs as critical and require that their dev teams upgrade. This one has a CVSS score of 7.5 (High). NVD - CVE-2023-31442