zentol commented on a change in pull request #408:
URL: https://github.com/apache/flink-web/pull/408#discussion_r552511042
##########
File path: security.md
##########
@@ -0,0 +1,74 @@
+---
+title: "Security"
+---
+
+{% toc %}
+
+
+## Security Updates
+
+This section lists fixed vulnerabilities in Flink.
+
+<table class="table">
+ <thead>
+ <tr>
+ <th style="width: 20%">CVE ID</th>
+ <th style="width: 30%">Affected Flink versions</th>
+ <th style="width: 50%">Notes</th>
+ </tr>
+ </thead>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a>
+ </td>
+ <td>
+ 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0
to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0
to 1.9.2, 1.10.0
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/804ae70024bf8be7c0c7093d02addb080c318662";>Fixed
in commit 804ae70024bf8be7c0c7093d02addb080c318662</a> <br>
+ Users are advised to upgrade to Flink 1.9.3 or 1.10.1
or later versions.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17518";>CVE-2020-17518</a>
+ </td>
+ <td>
+ 1.5.1 to 1.11.2
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4";>Fixed
in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4</a> <br>
+ Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519";>CVE-2020-17519</a>
+ </td>
+ <td>
+ 1.11.0, 1.11.1, 1.11.2
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801";>Fixed
in commit b561010b0ee741543c3953306037f00d7a9f0801</a> <br>
+ Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
+ </td>
+ </tr>
+</table>
+
+
+## Frequently Asked Questions
+
+### During a security analysis of Flink, I noticed that Flink allows for
remote code execution, is this an issue?
+
+Apache Flink is a framework for executing user-supplied code in clusters.
Users can submit jar files to Flink processes, which will be executed
unconditionally, without any attempts to limit what code can run. Starting
other processes, establishing network connections or accessing and modifing
local files is possible.
+
+Historically, we've received numerous remote code execution vulnerability
reports, which we had to reject, as this is by design.
+
+**We strongly discourage users to expose Flink processes to the public
internet**. Within company networks or "cloud" accounts, we recommend
restricting the access to a Flink cluster via appropriate means.
+
+
+### I found a vulnerability in Flink, how do I report it?
+
+Thanks a lot for lookiing into the security of Apache Flink! We appreciate
reports improving the security of Flink. We accept vulnerability reports
through the [Apache Security Team](http://www.apache.org/security/), via their
private email address [[email protected]](mailto:[email protected]).
Review comment:
```suggestion
Thanks a lot for looking into the security of Apache Flink! We appreciate
reports improving the security of Flink. We accept vulnerability reports
through the [Apache Security Team](http://www.apache.org/security/), via their
private email address [[email protected]](mailto:[email protected]).
```
##########
File path: _includes/navbar.html
##########
@@ -177,7 +177,9 @@
<a class="smalllinks" href="https://www.apache.org/licenses/";
target="_blank">License</a> <small><span class="glyphicon
glyphicon-new-window"></span></small>
- <a class="smalllinks" href="https://www.apache.org/security/";
target="_blank">Security</a> <small><span class="glyphicon
glyphicon-new-window"></span></small>
+ <a class="smalllinks" href="{{ baseurl_i18n
}}/security.html">Flink Security</a>
Review comment:
This kinda ruins the current layout of the sidebar.
Maybe we could throw out some other item in the sidebar instead, like the
plan visualizer.
##########
File path: security.zh.md
##########
@@ -0,0 +1,74 @@
+---
+title: "Security"
+---
+
+{% toc %}
+
+
+## Security Updates
+
+This section lists fixed vulnerabilities in Flink.
+
+<table class="table">
+ <thead>
+ <tr>
+ <th style="width: 20%">CVE ID</th>
+ <th style="width: 30%">Affected Flink versions</th>
+ <th style="width: 50%">Notes</th>
+ </tr>
+ </thead>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a>
+ </td>
+ <td>
+ 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0
to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0
to 1.9.2, 1.10.0
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/804ae70024bf8be7c0c7093d02addb080c318662";>Fixed
in commit 804ae70024bf8be7c0c7093d02addb080c318662</a> <br>
+ Users are advised to upgrade to Flink 1.9.3 or 1.10.1
or later versions.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17518";>CVE-2020-17518</a>
+ </td>
+ <td>
+ 1.5.1 to 1.11.2
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4";>Fixed
in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4</a> <br>
+ Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519";>CVE-2020-17519</a>
+ </td>
+ <td>
+ 1.11.0, 1.11.1, 1.11.2
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801";>Fixed
in commit b561010b0ee741543c3953306037f00d7a9f0801</a> <br>
+ Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
+ </td>
+ </tr>
+</table>
+
+
+## Frequently Asked Questions
+
+### During a security analysis of Flink, I noticed that Flink allows for
remote code execution, is this an issue?
+
+Apache Flink is a framework for executing user-supplied code in clusters.
Users can submit jar files to Flink processes, which will be executed
unconditionally, without any attempts to limit what code can run. Starting
other processes, establishing network connections or accessing and modifing
local files is possible.
+
+Historically, we've received numerous remote code execution vulnerability
reports, which we had to reject, as this is by design.
+
+**We strongly discourage users to expose Flink processes to the public
internet**. Within company networks or "cloud" accounts, we recommend
restricting the access to a Flink cluster via appropriate means.
+
+
+### I found a vulnerability in Flink, how do I report it?
+
+Thanks a lot for lookiing into the security of Apache Flink! We appreciate
reports improving the security of Flink. We accept vulnerability reports
through the [Apache Security Team](http://www.apache.org/security/), via their
private email address [[email protected]](mailto:[email protected]).
Review comment:
```suggestion
Thanks a lot for looking into the security of Apache Flink! We appreciate
reports improving the security of Flink. We accept vulnerability reports
through the [Apache Security Team](http://www.apache.org/security/), via their
private email address [[email protected]](mailto:[email protected]).
```
##########
File path: security.md
##########
@@ -0,0 +1,74 @@
+---
+title: "Security"
+---
+
+{% toc %}
+
+
+## Security Updates
+
+This section lists fixed vulnerabilities in Flink.
+
+<table class="table">
+ <thead>
+ <tr>
+ <th style="width: 20%">CVE ID</th>
+ <th style="width: 30%">Affected Flink versions</th>
+ <th style="width: 50%">Notes</th>
+ </tr>
+ </thead>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a>
+ </td>
+ <td>
+ 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0
to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0
to 1.9.2, 1.10.0
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/804ae70024bf8be7c0c7093d02addb080c318662";>Fixed
in commit 804ae70024bf8be7c0c7093d02addb080c318662</a> <br>
+ Users are advised to upgrade to Flink 1.9.3 or 1.10.1
or later versions.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17518";>CVE-2020-17518</a>
+ </td>
+ <td>
+ 1.5.1 to 1.11.2
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4";>Fixed
in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4</a> <br>
+ Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519";>CVE-2020-17519</a>
+ </td>
+ <td>
+ 1.11.0, 1.11.1, 1.11.2
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801";>Fixed
in commit b561010b0ee741543c3953306037f00d7a9f0801</a> <br>
+ Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
+ </td>
+ </tr>
+</table>
+
+
+## Frequently Asked Questions
+
+### During a security analysis of Flink, I noticed that Flink allows for
remote code execution, is this an issue?
+
+Apache Flink is a framework for executing user-supplied code in clusters.
Users can submit jar files to Flink processes, which will be executed
unconditionally, without any attempts to limit what code can run. Starting
other processes, establishing network connections or accessing and modifing
local files is possible.
Review comment:
```suggestion
Apache Flink is a framework for executing user-supplied code in clusters.
Users can submit code to Flink processes, which will be executed
unconditionally, without any attempts to limit what code can run. Starting
other processes, establishing network connections or accessing and modifying
local files is possible.
```
Given the existence of python/sql jobs, "jar files" seems outdated. Maybe
just call it "code".
##########
File path: security.md
##########
@@ -0,0 +1,74 @@
+---
+title: "Security"
+---
+
+{% toc %}
+
+
+## Security Updates
+
+This section lists fixed vulnerabilities in Flink.
+
+<table class="table">
+ <thead>
+ <tr>
+ <th style="width: 20%">CVE ID</th>
+ <th style="width: 30%">Affected Flink versions</th>
+ <th style="width: 50%">Notes</th>
+ </tr>
+ </thead>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a>
+ </td>
+ <td>
+ 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0
to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0
to 1.9.2, 1.10.0
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/804ae70024bf8be7c0c7093d02addb080c318662";>Fixed
in commit 804ae70024bf8be7c0c7093d02addb080c318662</a> <br>
+ Users are advised to upgrade to Flink 1.9.3 or 1.10.1
or later versions.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17518";>CVE-2020-17518</a>
+ </td>
+ <td>
+ 1.5.1 to 1.11.2
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4";>Fixed
in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4</a> <br>
+ Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519";>CVE-2020-17519</a>
+ </td>
+ <td>
+ 1.11.0, 1.11.1, 1.11.2
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801";>Fixed
in commit b561010b0ee741543c3953306037f00d7a9f0801</a> <br>
+ Users are advised to upgrade to Flink 1.11.3 or 1.12.0
or later versions.
+ </td>
+ </tr>
+</table>
+
+
+## Frequently Asked Questions
+
+### During a security analysis of Flink, I noticed that Flink allows for
remote code execution, is this an issue?
+
+Apache Flink is a framework for executing user-supplied code in clusters.
Users can submit jar files to Flink processes, which will be executed
unconditionally, without any attempts to limit what code can run. Starting
other processes, establishing network connections or accessing and modifing
local files is possible.
+
+Historically, we've received numerous remote code execution vulnerability
reports, which we had to reject, as this is by design.
+
+**We strongly discourage users to expose Flink processes to the public
internet**. Within company networks or "cloud" accounts, we recommend
restricting the access to a Flink cluster via appropriate means.
Review comment:
```suggestion
**We strongly discourage users to expose Flink processes to the public
internet**. Within company networks or "cloud" accounts, we recommend
restricting access to a Flink cluster via appropriate means.
```
##########
File path: security.md
##########
@@ -0,0 +1,74 @@
+---
+title: "Security"
+---
+
+{% toc %}
+
+
+## Security Updates
+
+This section lists fixed vulnerabilities in Flink.
+
+<table class="table">
+ <thead>
+ <tr>
+ <th style="width: 20%">CVE ID</th>
+ <th style="width: 30%">Affected Flink versions</th>
+ <th style="width: 50%">Notes</th>
+ </tr>
+ </thead>
+ <tr>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1960";>CVE-2020-1960</a>
+ </td>
+ <td>
+ 1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0
to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0
to 1.9.2, 1.10.0
+ </td>
+ <td>
+ <a
href="https://github.com/apache/flink/commit/804ae70024bf8be7c0c7093d02addb080c318662";>Fixed
in commit 804ae70024bf8be7c0c7093d02addb080c318662</a> <br>
+ Users are advised to upgrade to Flink 1.9.3 or 1.10.1
or later versions.
Review comment:
This not only excludes some information from the actual advisory we
published (at the very least changing the configuration should be listed as an
option), but for users upgrading to 1.9.3 the commit hash is also wrong, and
thus of questionable value (also applies to other entries). Maybe just omit the
commit hash entirely.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
