[jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Sat, 20 Feb 2021 01:03:06 -0800 


    [ 
https://issues.apache.org/jira/browse/BEAM-11227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17287602#comment-17287602
 ] 

Ismaël Mejía commented on BEAM-11227:
-------------------------------------

Yes this is possible actually this is what we did in the past when moving from 
version 1.13.1.

Notice that this process has two steps:
1. Upgrade and release (independently) the vendored dependency.
2. Update the Beam codebase to use the vendored dependency (usually a huge but 
relatively straight forward PR).

(1) requires a vote in the mailing list and ideally (2) to have been tested in 
advance.

I can help with the vote/release part if you like when we can confirm that the 
upgrade works. Also I think the upgrade is worth to catch up with the latest 
releases and improvements of gRPC independent of the security issue but that's 
a good question. [~bmbodj] How did you get to know about this vulnerability and 
its relation with this module?. Seems odd because gRPC seems not to have any 
use jetty

 

 

 

 

> Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
> ---------------------------------------------------------
>
>                 Key: BEAM-11227
>                 URL: https://issues.apache.org/jira/browse/BEAM-11227
>             Project: Beam
>          Issue Type: Bug
>          Components: build-system
>    Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
>            Reporter: Boury Mbodj
>            Priority: P1
>              Labels: apache-beam, beam
>             Fix For: 2.29.0
>
>          Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: 
> 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0]
>  » 
> [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3]
>  uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a  
> privilege escalation vulnerability. This issue (CVE-2020-27216) was published 
> on 23/10/2020.
> *+Affected Versions:+*
>  Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior 
> and 11.0.0.beta2 and prior.
>  *+Recommendation/+* *+Update Suggestion:+*
> Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 
> 10.0.0.beta3, 11.0.0.beta3 or later.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to