[
https://issues.apache.org/jira/browse/FLINK-19785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17221523#comment-17221523
]
Robert Metzger commented on FLINK-19785:
----------------------------------------
I decided against backporting the fix to 1.11.3 because it is a big version
jump (that could introduce instabilities, maybe classloading issues with user
code), and there's no immediately visible exploit for Flink due to this
vulnerability.
The specific issue reported in commons-io is about FileNameUtils.normalize,
which we are not using in Flink.
> Upgrade commons-io to 2.7 or newer
> ----------------------------------
>
> Key: FLINK-19785
> URL: https://issues.apache.org/jira/browse/FLINK-19785
> Project: Flink
> Issue Type: Task
> Components: Runtime / Coordination
> Affects Versions: 1.12.0, 1.11.2
> Reporter: Till Rohrmann
> Assignee: Robert Metzger
> Priority: Critical
> Labels: pull-request-available
> Fix For: 1.12.0
>
>
> A user reported a dependency vulnerability which affects {{commons-io}} [1].
> We should try to upgrade this dependency to {{2.7}} or newer.
> [1]
> https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
