beam-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tomo Suzuki (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
Date Tue, 23 Feb 2021 17:10:00 GMT

    [ https://issues.apache.org/jira/browse/BEAM-11227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17289193#comment-17289193
] 

Tomo Suzuki edited comment on BEAM-11227 at 2/23/21, 5:09 PM:
--------------------------------------------------------------

> companies are really picky about using libraries/tools reported by vulnerability reports

That makes sense. We want the automatic detector to unmark the vendored gRPC artifact.

Even if we upgrade to the latest version of gRPC, the line "org.eclipse.jetty.alpn:alpn-api:$alpn_api_version"
remains with version "1.1.2.v20150522" ([my current attempt|https://github.com/apache/beam/pull/14028/files#diff-20e6ab6fadc3019303d5534ed1b041f154a31e9e7a8e5829d6b8fc0a7218f6dfR76])
(It's less than "9.4.32" mentioned in  https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921#c2.
The latest is ["1.1.3.v20160715"|https://search.maven.org/artifact/org.eclipse.jetty.alpn/alpn-api/1.1.3.v20160715/jar]).

I'll wait for [~bmbodj]'s response before committing something.




was (Author: suztomo):
> companies are really picky about using libraries/tools reported by vulnerability reports

That makes sense. We want the automatic detector to unmark the vendored gRPC artifact.

Even if we upgrade to the latest version of gRPC, the line "org.eclipse.jetty.alpn:alpn-api:$alpn_api_version"
remains with version "1.1.2.v20150522" ([my current attempt|https://github.com/apache/beam/pull/14028/files#diff-20e6ab6fadc3019303d5534ed1b041f154a31e9e7a8e5829d6b8fc0a7218f6dfR76])
(It's less than "9.4.32" mentioned in  https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921#c2).

I'll wait for [~bmbodj]'s response before committing something.



> Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
> ---------------------------------------------------------
>
>                 Key: BEAM-11227
>                 URL: https://issues.apache.org/jira/browse/BEAM-11227
>             Project: Beam
>          Issue Type: Bug
>          Components: build-system
>    Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
>            Reporter: Boury Mbodj
>            Priority: P1
>              Labels: apache-beam, beam
>             Fix For: 2.29.0
>
>          Time Spent: 3h 20m
>  Remaining Estimate: 0h
>
> *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0] » [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3]
uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a  privilege escalation
vulnerability. This issue (CVE-2020-27216) was published on 23/10/2020.
> *+Affected Versions:+*
>  Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior and 11.0.0.beta2
and prior.
>  *+Recommendation/+* *+Update Suggestion:+*
> Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3
or later.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message