flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Patrick Lucas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-10007) Security vulnerability in website build infrastructure
Date Thu, 02 Aug 2018 11:23:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-10007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16566645#comment-16566645
] 

Patrick Lucas commented on FLINK-10007:
---------------------------------------

FWIW, this vulnerability has to do with a specific JSON string being able to crash ruby, which
could result in DoS to a service running it. It's basically inconsequential to us, but might
as well check it off the list I guess.

https://www.cvedetails.com/cve/CVE-2017-16516/

> Security vulnerability in website build infrastructure
> ------------------------------------------------------
>
>                 Key: FLINK-10007
>                 URL: https://issues.apache.org/jira/browse/FLINK-10007
>             Project: Flink
>          Issue Type: Bug
>          Components: Project Website
>            Reporter: Fabian Hueske
>            Priority: Critical
>
> We've got a notification from Apache INFRA about a potential security vulnerability:
> {quote}
> We found a potential security vulnerability in a repository for which you have been granted
security alert access.
> @apache 	apache/flink-web
> Known high severity security vulnerability detected in yajl-ruby < 1.3.1 defined in
Gemfile.
> Gemfile update suggested: yajl-ruby ~> 1.3.1. 
> {quote}
> This is a problem with the build environment of the website, i.e., this dependency is
not distributed or executed with Flink but only run when the website is updated.
> Nonetheless, we should of course update the dependency.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message