From issues-return-519311-archive-asf-public=cust-asf.ponee.io@flink.apache.org Wed Aug 4 14:18:02 2021 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id 8538F180660 for ; Wed, 4 Aug 2021 16:18:02 +0200 (CEST) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with SMTP id B95583FF84 for ; Wed, 4 Aug 2021 14:18:01 +0000 (UTC) Received: (qmail 23320 invoked by uid 500); 4 Aug 2021 14:18:01 -0000 Mailing-List: contact issues-help@flink.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@flink.apache.org Delivered-To: mailing list issues@flink.apache.org Received: (qmail 23296 invoked by uid 99); 4 Aug 2021 14:18:01 -0000 Received: from ec2-52-204-25-47.compute-1.amazonaws.com (HELO mailrelay1-ec2-va.apache.org) (52.204.25.47) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Aug 2021 14:18:01 +0000 Received: from jira2-he-de.apache.org (jira2-he-de.apache.org [168.119.33.54]) by mailrelay1-ec2-va.apache.org (ASF Mail Server at mailrelay1-ec2-va.apache.org) with ESMTPS id 4FB52420E8 for ; Wed, 4 Aug 2021 14:18:01 +0000 (UTC) Received: from jira2-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira2-he-de.apache.org (ASF Mail Server at jira2-he-de.apache.org) with ESMTP id 410BBC80685 for ; Wed, 4 Aug 2021 14:18:00 +0000 (UTC) Date: Wed, 4 Aug 2021 14:18:00 +0000 (UTC) From: "Chesnay Schepler (Jira)" To: issues@flink.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Assigned] (FLINK-23221) Docker image vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/FLINK-23221?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:all-tabpanel ] Chesnay Schepler reassigned FLINK-23221: ---------------------------------------- Assignee: Chesnay Schepler > Docker image vulnerability > -------------------------- > > Key: FLINK-23221 > URL: https://issues.apache.org/jira/browse/FLINK-23221 > Project: Flink > Issue Type: Improvement > Components: flink-docker > Affects Versions: 1.13.1 > Environment: Issue was discovered by AWS ECR image scanning on ap= ache/flink:1.13.1-scala_2.12 > Reporter: Razvan AGAPE > Assignee: Chesnay Schepler > Priority: Critical > Labels: docker, flink, glibc > Fix For: 1.14.0, 1.13.3 > > > The AWS ECR image scanning reports some HIGH vulnerabilities on apache/fl= ink:1.13.1-scala_2.12 docker image. In addition, all versions prior to this= one have these issues. > The vulnerabilities are the following: > # [CVE-2021-33574|https://security-tracker.debian.org/tracker/CVE-2021-3= 3574] > # [CVE-2019-25013 - for this one a patch was been released in glibc vers= ion=C2=A02.31-9|https://security-tracker.debian.org/tracker/CVE-2019-25013] > Our security policy do not allow us to deploy images having security vuln= erabilities. Searching through the Internet I found that for the first prob= lem, a patch containing the solution will be release this year. > Do you plan to release a new image containing the newer glibc version in = order to solve those issues? > Also, I checked and the alpine based flink images do not have these vulne= rabilities. Do you plan to release newer versions of flink based on alpine = (latest one is flink:1.8.x)? -- This message was sent by Atlassian Jira (v8.3.4#803005)