[
https://issues.apache.org/jira/browse/BEAM-11227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17289193#comment-17289193
]
Tomo Suzuki edited comment on BEAM-11227 at 2/23/21, 5:12 PM:
--------------------------------------------------------------
> companies are really picky about using libraries/tools reported by
> vulnerability reports
That makes sense. We want the automatic detector to unmark the vendored gRPC
artifact.
Even if we upgrade to the latest version of gRPC, the line
"org.eclipse.jetty.alpn:alpn-api:$alpn_api_version" remains with version
"1.1.2.v20150522" ([my current
attempt|https://github.com/apache/beam/pull/14028/files#diff-20e6ab6fadc3019303d5534ed1b041f154a31e9e7a8e5829d6b8fc0a7218f6dfR76])
(It's less than "9.4.32" mentioned in
[https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921#c2]. The latest is
["1.1.3.v20160715"|https://search.maven.org/artifact/org.eclipse.jetty.alpn/alpn-api/1.1.3.v20160715/jar]).
On the other hand, this issue description clearly say "Eclipse Jetty
(9.2.10.v20150310)". Where is this version coming from?
I'll wait for [~bmbodj]'s response before committing something.
was (Author: suztomo):
> companies are really picky about using libraries/tools reported by
> vulnerability reports
That makes sense. We want the automatic detector to unmark the vendored gRPC
artifact.
Even if we upgrade to the latest version of gRPC, the line
"org.eclipse.jetty.alpn:alpn-api:$alpn_api_version" remains with version
"1.1.2.v20150522" ([my current
attempt|https://github.com/apache/beam/pull/14028/files#diff-20e6ab6fadc3019303d5534ed1b041f154a31e9e7a8e5829d6b8fc0a7218f6dfR76])
(It's less than "9.4.32" mentioned in
https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921#c2. The latest is
["1.1.3.v20160715"|https://search.maven.org/artifact/org.eclipse.jetty.alpn/alpn-api/1.1.3.v20160715/jar]).
I'll wait for [~bmbodj]'s response before committing something.
> Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
> ---------------------------------------------------------
>
> Key: BEAM-11227
> URL: https://issues.apache.org/jira/browse/BEAM-11227
> Project: Beam
> Issue Type: Bug
> Components: build-system
> Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
> Reporter: Boury Mbodj
> Priority: P1
> Labels: apache-beam, beam
> Fix For: 2.29.0
>
> Time Spent: 3h 20m
> Remaining Estimate: 0h
>
> *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC ::
> 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0]
> »
> [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3]
> uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a
> privilege escalation vulnerability. This issue (CVE-2020-27216) was published
> on 23/10/2020.
> *+Affected Versions:+*
> Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior
> and 11.0.0.beta2 and prior.
> *+Recommendation/+* *+Update Suggestion:+*
> Update the Eclipse Jetty dependency to version 9.4.33.v20201020,
> 10.0.0.beta3, 11.0.0.beta3 or later.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
