[jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Wed, 24 Mar 2021 08:39:06 -0700 


     [ 
https://issues.apache.org/jira/browse/BEAM-11227?focusedWorklogId=571252&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-571252
 ]

ASF GitHub Bot logged work on BEAM-11227:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 24/Mar/21 15:38
            Start Date: 24/Mar/21 15:38
    Worklog Time Spent: 10m 
      Work Description: suztomo edited a comment on pull request #14295:
URL: https://github.com/apache/beam/pull/14295#issuecomment-805861194


   With this (not specifying 
`testTeardownCalledAfterExceptionInFinishBundleStateful`), it failed in 7 times 
for 100 attempts. 
   
   ```
   #!/bin/bash
   
   C=0
   for I in `seq 100`; do
     echo "Attempt: $I"
     ./gradlew --no-build-cache -p runners/direct-java cleanTest 
needsRunnerTests --tests org.apache.beam.sdk.transforms.ParDoLifecycleTest
     if [ "$?" != 0 ];then
       C=$((C+1))
     fi
   done
   echo "Failed $C times"
   ```
   
   Tried `Parameterized.class` to run it repeatedly.
    
https://github.com/apache/beam/commit/498cf76ac55939713a4a4fbef711a21a652ebcf8
   
   It fails in the master branch too: "1100 tests completed, 6 failed".
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 571252)
    Time Spent: 63h 10m  (was: 63h)

> Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
> ---------------------------------------------------------
>
>                 Key: BEAM-11227
>                 URL: https://issues.apache.org/jira/browse/BEAM-11227
>             Project: Beam
>          Issue Type: Bug
>          Components: build-system
>    Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
>            Reporter: Boury Mbodj
>            Assignee: Kenneth Knowles
>            Priority: P1
>              Labels: apache-beam, beam
>             Fix For: 2.29.0
>
>          Time Spent: 63h 10m
>  Remaining Estimate: 0h
>
> *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: 
> 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0]
>  » 
> [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3]
>  uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a  
> privilege escalation vulnerability. This issue (CVE-2020-27216) was published 
> on 23/10/2020.
> *+Affected Versions:+*
>  Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior 
> and 11.0.0.beta2 and prior.
>  *+Recommendation/+* *+Update Suggestion:+*
> Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 
> 10.0.0.beta3, 11.0.0.beta3 or later.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to