[jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Tue, 23 Mar 2021 21:32:05 -0700 


     [ 
https://issues.apache.org/jira/browse/BEAM-11227?focusedWorklogId=570924&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-570924
 ]

ASF GitHub Bot logged work on BEAM-11227:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 24/Mar/21 04:31
            Start Date: 24/Mar/21 04:31
    Worklog Time Spent: 10m 
      Work Description: kennknowles commented on pull request #14295:
URL: https://github.com/apache/beam/pull/14295#issuecomment-805481601


   The merge commit associated with this PR may be at an unhealthy point in 
`master` branch. I believe that the merge commit is updated only when the PR is 
updated. So you may need to rebase to force healthy tests.
   
   We can note the health status to avoid re-running too many tests:
   
    - The only failure to be concerned about is `Run Java PostCommit`
       - the failed targets are 
`:sdks:java:io:google-cloud-platform:integrationTest` and 
`:runners:google-cloud-dataflow-java:googleCloudPlatformRunnerV2IntegrationTest`
       - notably, V1 integration tests with GCP IOs passed and also V2 
integration tests with examples passed
   
   This points to issues we had on master recently.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 570924)
    Time Spent: 60h  (was: 59h 50m)

> Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
> ---------------------------------------------------------
>
>                 Key: BEAM-11227
>                 URL: https://issues.apache.org/jira/browse/BEAM-11227
>             Project: Beam
>          Issue Type: Bug
>          Components: build-system
>    Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
>            Reporter: Boury Mbodj
>            Assignee: Kenneth Knowles
>            Priority: P1
>              Labels: apache-beam, beam
>             Fix For: 2.29.0
>
>          Time Spent: 60h
>  Remaining Estimate: 0h
>
> *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: 
> 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0]
>  » 
> [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3]
>  uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a  
> privilege escalation vulnerability. This issue (CVE-2020-27216) was published 
> on 23/10/2020.
> *+Affected Versions:+*
>  Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior 
> and 11.0.0.beta2 and prior.
>  *+Recommendation/+* *+Update Suggestion:+*
> Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 
> 10.0.0.beta3, 11.0.0.beta3 or later.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to