[
https://issues.apache.org/jira/browse/FLINK-23221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17374746#comment-17374746
]
Till Rohrmann commented on FLINK-23221:
---------------------------------------
Thanks for reporting this issue [~Raszan]. Do you know whether CVE-2019-25013
will be fixed in the latest {{openjdk:8-jre}} image? If yes, then it will be
fixed with the next minor release {{1.13.2}}.
There are currently no plans to change the base image back to Alpine at the
moment.
cc [~chesnay].
> Docker image vulnerability
> --------------------------
>
> Key: FLINK-23221
> URL: https://issues.apache.org/jira/browse/FLINK-23221
> Project: Flink
> Issue Type: Improvement
> Components: flink-docker
> Affects Versions: 1.13.1
> Environment: Issue was discovered by AWS ECR image scanning on
> apache/flink:1.13.1-scala_2.12
> Reporter: Razvan AGAPE
> Priority: Major
> Labels: docker, flink, glibc
>
> The AWS ECR image scanning reports some HIGH vulnerabilities on
> apache/flink:1.13.1-scala_2.12 docker image. In addition, all versions prior
> to this one have these issues.
> The vulnerabilities are the following:
> # [CVE-2021-33574|https://security-tracker.debian.org/tracker/CVE-2021-33574]
> # [CVE-2019-25013 - for this one a patch was been released in glibc versionĀ
> 2.31-9|https://security-tracker.debian.org/tracker/CVE-2019-25013]
> Our security policy do not allow us to deploy images having security
> vulnerabilities. Searching through the Internet I found that for the first
> problem, a patch containing the solution will be release this year.
> Do you plan to release a new image containing the newer glibc version in
> order to solve those issues?
> Also, I checked and the alpine based flink images do not have these
> vulnerabilities. Do you plan to release newer versions of flink based on
> alpine (latest one is flink:1.8.x)?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
