[
https://issues.apache.org/jira/browse/FLINK-19781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17221521#comment-17221521
]
Robert Metzger commented on FLINK-19781:
----------------------------------------
I decided against backporting the fix to 1.11.3 because it is a big version
jump (that could introduce instabilities, maybe classloading issues with user
code), and there's no immediately visible exploit for Flink due to this
vulnerability.
The specific issue reported in commons-coded is about Base64 decode. I'm not
aware of any use of that in Flink.
> Upgrade commons_codec to 1.13 or newer
> --------------------------------------
>
> Key: FLINK-19781
> URL: https://issues.apache.org/jira/browse/FLINK-19781
> Project: Flink
> Issue Type: Task
> Components: Table SQL / Planner
> Affects Versions: 1.12.0, 1.11.2
> Reporter: Till Rohrmann
> Assignee: Robert Metzger
> Priority: Critical
> Labels: pull-request-available
> Fix For: 1.12.0
>
>
> A user reported a dependency vulnerability which affects {{commons_codec}}
> [1]. We should try to upgrade this version to 1.13 or newer.
> [1]
> https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
