[ https://issues.apache.org/jira/browse/FLINK-24025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17405857#comment-17405857 ]
Chesnay Schepler commented on FLINK-24025: ------------------------------------------ * commons-compress: FLINK-24034 * slf4j: Either you are referencing a vulnerability which only applies to slf4j-ext in which case it doesn't apply to Flink (see FLINK-23444), or some other vulnerability in which case you should upgrade to 1.14.0 once it is released (see FLINK-22407). * netty: Will not be upgraded for technical reasons. * cxf-rt-rs-json-basic: I've never heard of this dependency so it's unlikely to come from Flink. Please specify where exactly you found it. * bzip2: Please specify where exactly you found this dependency. > The components on which Flink depends may contain vulnerabilities. If yes, > fix them. > ------------------------------------------------------------------------------------ > > Key: FLINK-24025 > URL: https://issues.apache.org/jira/browse/FLINK-24025 > Project: Flink > Issue Type: Improvement > Components: Build System > Affects Versions: 1.11.3 > Reporter: mixedfruit > Priority: Minor > > In Flink v1.11.3 contains netty(version:3.10.6) > commons-compress(version:1.20) slf4j(version:1.7.15) > cxf-rt-rs-json-basic(version:3.4.0) and bzip2(version:1.0.6). There are many > vulnerabilities, like > CVE-2020-13954,CVE-2021-22696,CVE-2021-30468,CVE-2018-8088, > CVE-2021-21409,CVE-2021-35517 etc. please confirm these version and fix. thx -- This message was sent by Atlassian Jira (v8.3.4#803005)