[jira] [Commented] (FLINK-29235) CVE-2022-25857 on flink-shaded
[ https://issues.apache.org/jira/browse/FLINK-29235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17629998#comment-17629998 ] Sergio Sainz commented on FLINK-29235: -- Hi , could we evaluate for addition in 1.16.1? > CVE-2022-25857 on flink-shaded > -- > > Key: FLINK-29235 > URL: https://issues.apache.org/jira/browse/FLINK-29235 > Project: Flink > Issue Type: Bug > Components: Build System, BuildSystem / Shaded >Affects Versions: 1.15.2 >Reporter: Sergio Sainz >Assignee: Chesnay Schepler >Priority: Major > Fix For: 1.17.0 > > > flink-shaded-version uses snakeyaml v1.29 which is vulnerable to > CVE-2022-25857 > Ref: > https://nvd.nist.gov/vuln/detail/CVE-2022-25857 > https://repo1.maven.org/maven2/org/apache/flink/flink-shaded-jackson/2.12.4-15.0/flink-shaded-jackson-2.12.4-15.0.pom > https://github.com/apache/flink-shaded/blob/master/flink-shaded-jackson-parent/flink-shaded-jackson-2/pom.xml#L73 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FLINK-29235) CVE-2022-25857 on flink-shaded
[ https://issues.apache.org/jira/browse/FLINK-29235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627076#comment-17627076 ] Martijn Visser commented on FLINK-29235: Fixed in master: cffb8d9dfc0aed7038574cb16826cf9e9573248e To-do: shaded > CVE-2022-25857 on flink-shaded > -- > > Key: FLINK-29235 > URL: https://issues.apache.org/jira/browse/FLINK-29235 > Project: Flink > Issue Type: Bug > Components: Build System, BuildSystem / Shaded >Affects Versions: 1.15.2 >Reporter: Sergio Sainz >Assignee: Chesnay Schepler >Priority: Major > > flink-shaded-version uses snakeyaml v1.29 which is vulnerable to > CVE-2022-25857 > Ref: > https://nvd.nist.gov/vuln/detail/CVE-2022-25857 > https://repo1.maven.org/maven2/org/apache/flink/flink-shaded-jackson/2.12.4-15.0/flink-shaded-jackson-2.12.4-15.0.pom > https://github.com/apache/flink-shaded/blob/master/flink-shaded-jackson-parent/flink-shaded-jackson-2/pom.xml#L73 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FLINK-29235) CVE-2022-25857 on flink-shaded
[ https://issues.apache.org/jira/browse/FLINK-29235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17623369#comment-17623369 ] Sergio Sainz commented on FLINK-29235: -- Hello [~chesnay] Noticed the flink-shaded-jackson v2.13.4-16.0 already has the fix (it uses jackson's own snakeyaml version which is 1.31). Could we upgrade flink-shaded version in flink version 1.16.0 to use 2.13.4-16.0? [https://github.com/apache/flink/blob/release-1.16.0-rc2/pom.xml#L125] ``` 16.0 2.13.4 ``` ref: [https://repo1.maven.org/maven2/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.13.4/jackson-dataformat-yaml-2.13.4.pom] [https://repo1.maven.org/maven2/org/apache/flink/flink-shaded-jackson/2.13.4-16.0/flink-shaded-jackson-2.13.4-16.0.pom] > CVE-2022-25857 on flink-shaded > -- > > Key: FLINK-29235 > URL: https://issues.apache.org/jira/browse/FLINK-29235 > Project: Flink > Issue Type: Bug > Components: Build System, BuildSystem / Shaded >Affects Versions: 1.15.2 >Reporter: Sergio Sainz >Assignee: Chesnay Schepler >Priority: Major > > flink-shaded-version uses snakeyaml v1.29 which is vulnerable to > CVE-2022-25857 > Ref: > https://nvd.nist.gov/vuln/detail/CVE-2022-25857 > https://repo1.maven.org/maven2/org/apache/flink/flink-shaded-jackson/2.12.4-15.0/flink-shaded-jackson-2.12.4-15.0.pom > https://github.com/apache/flink-shaded/blob/master/flink-shaded-jackson-parent/flink-shaded-jackson-2/pom.xml#L73 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FLINK-29235) CVE-2022-25857 on flink-shaded
[ https://issues.apache.org/jira/browse/FLINK-29235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606628#comment-17606628 ] Chesnay Schepler commented on FLINK-29235: -- Mind you that the CVE likely doesn't apply because we only use it to parse the configuration. > CVE-2022-25857 on flink-shaded > -- > > Key: FLINK-29235 > URL: https://issues.apache.org/jira/browse/FLINK-29235 > Project: Flink > Issue Type: Bug > Components: BuildSystem / Shaded >Affects Versions: 1.15.2 >Reporter: Sergio Sainz >Assignee: Chesnay Schepler >Priority: Major > > flink-shaded-version uses snakeyaml v1.29 which is vulnerable to > CVE-2022-25857 > Ref: > https://nvd.nist.gov/vuln/detail/CVE-2022-25857 > https://repo1.maven.org/maven2/org/apache/flink/flink-shaded-jackson/2.12.4-15.0/flink-shaded-jackson-2.12.4-15.0.pom > https://github.com/apache/flink-shaded/blob/master/flink-shaded-jackson-parent/flink-shaded-jackson-2/pom.xml#L73 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FLINK-29235) CVE-2022-25857 on flink-shaded
[ https://issues.apache.org/jira/browse/FLINK-29235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606626#comment-17606626 ] Chesnay Schepler commented on FLINK-29235: -- I guess so. > CVE-2022-25857 on flink-shaded > -- > > Key: FLINK-29235 > URL: https://issues.apache.org/jira/browse/FLINK-29235 > Project: Flink > Issue Type: Bug > Components: BuildSystem / Shaded >Affects Versions: 1.15.2 >Reporter: Sergio Sainz >Assignee: Chesnay Schepler >Priority: Major > > flink-shaded-version uses snakeyaml v1.29 which is vulnerable to > CVE-2022-25857 > Ref: > https://nvd.nist.gov/vuln/detail/CVE-2022-25857 > https://repo1.maven.org/maven2/org/apache/flink/flink-shaded-jackson/2.12.4-15.0/flink-shaded-jackson-2.12.4-15.0.pom > https://github.com/apache/flink-shaded/blob/master/flink-shaded-jackson-parent/flink-shaded-jackson-2/pom.xml#L73 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FLINK-29235) CVE-2022-25857 on flink-shaded
[ https://issues.apache.org/jira/browse/FLINK-29235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606618#comment-17606618 ] Martijn Visser commented on FLINK-29235: [~chesnay] Should this be fixed before Flink 1.16? > CVE-2022-25857 on flink-shaded > -- > > Key: FLINK-29235 > URL: https://issues.apache.org/jira/browse/FLINK-29235 > Project: Flink > Issue Type: Bug > Components: BuildSystem / Shaded >Affects Versions: 1.15.2 >Reporter: Sergio Sainz >Priority: Major > > flink-shaded-version uses snakeyaml v1.29 which is vulnerable to > CVE-2022-25857 > Ref: > https://nvd.nist.gov/vuln/detail/CVE-2022-25857 > https://repo1.maven.org/maven2/org/apache/flink/flink-shaded-jackson/2.12.4-15.0/flink-shaded-jackson-2.12.4-15.0.pom > https://github.com/apache/flink-shaded/blob/master/flink-shaded-jackson-parent/flink-shaded-jackson-2/pom.xml#L73 -- This message was sent by Atlassian Jira (v8.20.10#820010)