[
https://issues.apache.org/jira/browse/FLINK-19784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17219652#comment-17219652
]
Robert Metzger commented on FLINK-19784:
----------------------------------------
The problem with this vulnerability is that okhttp has not fixed it:
https://github.com/square/okhttp/issues/4967, because they can not fix it: An
attacker needs so much control over the device, that they could change the
traffic either way. At least that's how I understood another summary of the
issue:
https://github.com/launchdarkly/java-server-sdk/issues/187#issuecomment-601858896.
I propose to close this ticket this ticket as invalid.
> Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200
> -------------------------------------------------------
>
> Key: FLINK-19784
> URL: https://issues.apache.org/jira/browse/FLINK-19784
> Project: Flink
> Issue Type: Task
> Components: Runtime / Metrics
> Affects Versions: 1.12.0, 1.11.2
> Reporter: Till Rohrmann
> Priority: Critical
> Fix For: 1.12.0, 1.11.3
>
>
> A user reported a dependency vulnerability which affects {{okhttp}} [1]. We
> should upgrade this dependency to {{3.13.0}} or newer. The dependency is used
> by the datadog reporter.
> [1]
> https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
