[
https://issues.apache.org/jira/browse/FLINK-22441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331897#comment-17331897
]
Konstantin Knauf commented on FLINK-22441:
------------------------------------------
Netty 3.10.6 comes in as a transitive dependency of Akka, which is used for
distributed coordination. Unfortunately, we can not upgrade Akka to 2.6+,
because we still rely on support for Scala 2.11, which is dropped in Akka 2.6.
When Flink drops support for Scala 2.11, we can tackle the upgrade of Akka and
transitively Netty.
If you list the vulnerabilities, that your scanner found, we can make a quick
assessment whether Flink/Akka use the mentioned components/classes, e.g. for
CVE-2019-20445 & CVE-2019-20444 this is not the case.
> In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There
> are many vulnerabilities, like CVE-2021-21409 etc. please confirm these
> version and fix. thx
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: FLINK-22441
> URL: https://issues.apache.org/jira/browse/FLINK-22441
> Project: Flink
> Issue Type: Bug
> Components: Runtime / Coordination
> Affects Versions: 1.11.3
> Reporter: 张健
> Priority: Major
>
> In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There
> are many vulnerabilities, like CVE-2021-21409 CVE-2021-21295 etc. please
> confirm these version and fix. thx
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
