flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthias (Jira)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-21670) Bump log4j versions (two places - 2.8.2 for Python, 2.13.2 elsewhere)
Date Tue, 09 Mar 2021 09:24:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-21670?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17297963#comment-17297963
] 

Matthias commented on FLINK-21670:
----------------------------------

Hi Adam,
thanks for reporting this. {{CVE-2020-9488}} is already reported in FLINK-21411. I'm gonna
link the two tickets.

> Bump log4j versions (two places - 2.8.2 for Python, 2.13.2 elsewhere)
> ---------------------------------------------------------------------
>
>                 Key: FLINK-21670
>                 URL: https://issues.apache.org/jira/browse/FLINK-21670
>             Project: Flink
>          Issue Type: Bug
>          Components: Build System
>            Reporter: Adam Roberts
>            Priority: Minor
>
> Hey everyone, another Twistlock scan done and, in the same manner as https://issues.apache.org/jira/browse/STORM-2528, it
appears the Flink Python jar's impacted
>  
> Apparently we're using version 2.6.2 and bumping to 2.8.2 should be sufficient to remediate
at least this potential problem [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5645]
>  
> I've done this scan against both 1.13 and 1.12.2, so ideally should be fixed in both
if possible please.
>  
>  
> Also while on the subject of log4j, this time not for the Flink Python jar, bumping to
2.13.2 of org.apache.logging.log4j_log4j-api from 2.12.1 should fix CVE-2020-9488 (the file
in question picked up is "/opt/flink/lib/log4j-api-2.12.1.jar).
>  
> Cheers!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message