[
https://issues.apache.org/jira/browse/FLINK-21546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17297475#comment-17297475
]
Adam Roberts edited comment on FLINK-21546 at 3/8/21, 3:48 PM:
---------------------------------------------------------------
This has been closed but I've actually done a scan today against Flink 1.12.2
and 1.13 snapshot (building it myself) and I see
"link": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20445";,
"type": "image",
"layerTime": 1615203557,
"templates": [],
"twistlock": false,
"published": 1580332500,
"discovered": "0001-01-01T00:00:00Z",
"severityCHML": "C",
"packageName": "io.netty_netty-codec",
"packageVersion": "4.1.42.Final",
"packageBinaryPkgs": [],
"packageType": "jar",
"packagePath": "/opt/flink/opt/flink-python_2.11-1.13-SNAPSHOT.jar",
still, with a suggestion to move up to netty 4.1.44. Any thoughts on this one?
Am I right in assuming it requires
https://issues.apache.org/jira/browse/FLINK-21021 because of the beam upgrade
required?
I am also seeing
"link": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20445";,
"type": "image",
"layerTime": 1615203557,
"templates": [],
"twistlock": false,
"published": 1580332500,
"discovered": "0001-01-01T00:00:00Z",
"severityCHML": "C",
"packageName": "io.netty_netty",
"packageVersion": "3.10.6.Final",
"packageBinaryPkgs": [],
"packageType": "jar",
"packagePath": "/opt/flink/lib/flink-dist_2.11-1.13-SNAPSHOT.jar",
was (Author: aroberts):
This has been closed but I've actually done a scan today against Flink 1.12.2
and 1.13 snapshot (building it myself) and I see
"link": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20445";,
"type": "image",
"layerTime": 1615203557,
"templates": [],
"twistlock": false,
"published": 1580332500,
"discovered": "0001-01-01T00:00:00Z",
"severityCHML": "C",
"packageName": "io.netty_netty-codec",
"packageVersion": "4.1.42.Final",
"packageBinaryPkgs": [],
"packageType": "jar",
"packagePath": "/opt/flink/opt/flink-python_2.11-1.13-SNAPSHOT.jar",
still, with a suggestion to move up to netty 4.1.44. Any thoughts on this one?
Am I right in assuming it requires
https://issues.apache.org/jira/browse/FLINK-21021 because of the beam upgrade
required?
> Upgrade io.netty netty-codec in Flink (four findings)
> -----------------------------------------------------
>
> Key: FLINK-21546
> URL: https://issues.apache.org/jira/browse/FLINK-21546
> Project: Flink
> Issue Type: Bug
> Reporter: Adam Roberts
> Priority: Major
>
> Hi everyone, have been raising plenty of JIRAs after doing a Twistlock
> container scan for Flink 1.11.3 and Hadoop 3.3.1 snapshot, for Flink itself
> (so without using Hadoop) I've noticed the following libraries in use
> (unfortunately I don't get a path where, but somewhere in Flink they must be,
> or in a dependent jar?).
>
>
> {"fixed in
> 4.1.46","packageName":"io.netty_netty-codec","packageVersion":"4.1.34.Final"}
> }
> {"fixed in
> 4.1.44","packageName":"io.netty_netty-codec","packageVersion":"4.1.34.Final"}
> }
> {"fixed in
> 4.1.44","packageName":"io.netty_netty-codec","packageVersion":"4.1.34.Final"}
> }
> {fixed in
> 4.1.42.Final","packageName":"io.netty_netty-codec","packageVersion":"4.1.34.Final"}
> }
>
> https://issues.apache.org/jira/browse/HADOOP-17556 may be useful as well
> Could we move up to Netty 4.1.46 (or something even newer?) across everything
> Flink's using? Again, I apologise for not having the paths to figure out what
> exactly is using it, but perhaps folks working directly with Flink may have a
> clue? Thanks
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
