flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Debraj Manna (Jira)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-21411) The components on which Flink depends may contain vulnerabilities. If yes, fix them.
Date Sun, 18 Jul 2021 11:54:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-21411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17382815#comment-17382815
] 

Debraj Manna commented on FLINK-21411:
--------------------------------------

We are also observing that flink 1.13.1 getting flagged for CVE-2019-12900 for the usage of
bzip2 in librocksdbjni. 

Not sure if this will help in this case but rocksDB seems to have addressed this CVE in the
below PR

* https://github.com/facebook/rocksdb/issues/6703

> The components on which Flink depends may contain vulnerabilities. If yes, fix them.
> ------------------------------------------------------------------------------------
>
>                 Key: FLINK-21411
>                 URL: https://issues.apache.org/jira/browse/FLINK-21411
>             Project: Flink
>          Issue Type: Improvement
>          Components: Build System
>            Reporter: dgbro
>            Priority: Minor
>              Labels: auto-deprioritized-major
>
> In Flink v1.11.3 contains mesos(version: 1.0.1) okhttp(version: 3.7.0) log4j(version:2.12.1)
netty(version:3.10.6) jackson-databind(2.10.1) jackson(version:2.10.1) and bzip2(version:1.0.6).
There are many vulnerabilities, like CVE-2017-7687,CVE-2017-9790,CVE-2018-8023,CVE-2018-20200,CVE-2020-9488,CVE-2019-20444,CVE-2019-20445,CVE-2019-16869,CVE-2020-25649,CVE-2020-25649,CVE-2019-12900,CVE-2016-3189,CVE-2018-8088
etc. please confirm these version and fix. thx



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message