Purushottam Sinha created FLINK-39670:
-----------------------------------------
Summary: Bump Flink-controlled Java dependencies to resolve CVEs
Part 2 (kafka-clients, okhttp, zookeeper, wiremock)
Key: FLINK-39670
URL: https://issues.apache.org/jira/browse/FLINK-39670
Project: Flink
Issue Type: Improvement
Reporter: Purushottam Sinha
Several Flink-controlled Java dependencies have known CVEs requiring updates:
- kafka-clients 3.2.3 (direct test-scope dep in flink-sql-client-test) contains
CVE-2024-31141, CVE-2025-27817
- okhttp 3.7.0 (hardcoded test-scope override in flink-runtime) contains
CVE-2018-20200
- zookeeper 3.7.2 (root pom managed pin) contains CVE-2024-23944
- wiremock-jre8 2.32.0 (test-scope in flink-metrics-influxdb) contains
CVE-2023-41327, CVE-2023-41329
*Proposed updates:*
- Bump kafka-clients to 3.9.2 in flink-sql-client-test (direct test-scope dep)
- Drop the hardcoded okhttp 3.7.0 in flink-runtime so it inherits
${okhttp.version} (3.14.9) from the root pom
- Bump zookeeper.version to 3.8.5 (pairs with flink-shaded-zookeeper-3
3.8.5-21.0, already published on Maven Central); update the matching
testcontainer Docker tag in FlinkTestcontainersConfigurator per the in-pom
"keep in sync" comment
- Bump wiremock-jre8 to 2.35.2 in flink-metrics-influxdb
*Out of scope:*
CVEs that come in via Hadoop / Alluxio / kubernetes-client transitives.
Predecessor: https://issues.apache.org/jira/browse/FLINK-39580
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
