This is an automated email from the ASF dual-hosted git repository. damccorm pushed a commit to branch users/damccorm/securityVulns in repository https://gitbox.apache.org/repos/asf/beam.git
commit ee9cc7e67c1ecc3710cea35551786fc34f222670 Author: Danny McCormick <[email protected]> AuthorDate: Mon Sep 11 16:22:57 2023 -0400 Call out fixed security vulnerabilities These will get automatically picked up when we pick up the new `python:3.XX-bullseye` images which have upgraded their debian versions already (for example https://hub.docker.com/layers/library/python/3.9-bullseye/images/sha256-d7e28b2648cb4611a94f068d92a236e7faaf6edb7589e01c09c1c16035c26d0a?context=explore has debian/aom 1.0.0.errata1-3+deb11u1 which has the fix). I confirmed that all 4 versions 3.<8, 9, 10, and 11> have the fix. --- CHANGES.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index e9a3044b6ea..b9ad4718645 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -83,7 +83,7 @@ * Fixed X (Java/Python) ([#X](https://github.com/apache/beam/issues/X)). ## Security Fixes -* Fixed (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Java/Python/Go) ([#X](https://github.com/apache/beam/issues/X)). +* Python containers updated, fixing [CVE-2021-30474](https://nvd.nist.gov/vuln/detail/CVE-2021-30474), [CVE-2021-30475](https://nvd.nist.gov/vuln/detail/CVE-2021-30475), [CVE-2021-30473](https://nvd.nist.gov/vuln/detail/CVE-2021-30473), [CVE-2020-36133](https://nvd.nist.gov/vuln/detail/CVE-2020-36133), [CVE-2020-36131](https://nvd.nist.gov/vuln/detail/CVE-2020-36131), [CVE-2020-36130](https://nvd.nist.gov/vuln/detail/CVE-2020-36130), and [CVE-2020-36135](https://nvd.nist.gov/vuln/detail/ [...] ## Known Issues @@ -146,6 +146,7 @@ * Long-running Python pipelines might experience a memory leak: [#28246](https://github.com/apache/beam/issues/28246). * Python Pipelines using BigQuery IO or `orjson` dependency might experience segmentation faults or get stuck: [#28318](https://github.com/apache/beam/issues/28318). +* Beam Python containers rely on a version of Debian/aom that has several security vulnerabilities: [CVE-2021-30474](https://nvd.nist.gov/vuln/detail/CVE-2021-30474), [CVE-2021-30475](https://nvd.nist.gov/vuln/detail/CVE-2021-30475), [CVE-2021-30473](https://nvd.nist.gov/vuln/detail/CVE-2021-30473), [CVE-2020-36133](https://nvd.nist.gov/vuln/detail/CVE-2020-36133), [CVE-2020-36131](https://nvd.nist.gov/vuln/detail/CVE-2020-36131), [CVE-2020-36130](https://nvd.nist.gov/vuln/detail/CVE-202 [...] # [2.49.0] - 2023-07-17
