[
https://issues.apache.org/jira/browse/FLINK-24025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17405857#comment-17405857
]
Chesnay Schepler commented on FLINK-24025:
------------------------------------------
* commons-compress: FLINK-24034
* slf4j: Either you are referencing a vulnerability which only applies to
slf4j-ext in which case it doesn't apply to Flink (see FLINK-23444), or some
other vulnerability in which case you should upgrade to 1.14.0 once it is
released (see FLINK-22407).
* netty: Will not be upgraded for technical reasons.
* cxf-rt-rs-json-basic: I've never heard of this dependency so it's unlikely to
come from Flink. Please specify where exactly you found it.
* bzip2: Please specify where exactly you found this dependency.
> The components on which Flink depends may contain vulnerabilities. If yes,
> fix them.
> ------------------------------------------------------------------------------------
>
> Key: FLINK-24025
> URL: https://issues.apache.org/jira/browse/FLINK-24025
> Project: Flink
> Issue Type: Improvement
> Components: Build System
> Affects Versions: 1.11.3
> Reporter: mixedfruit
> Priority: Minor
>
> In Flink v1.11.3 contains netty(version:3.10.6)
> commons-compress(version:1.20) slf4j(version:1.7.15)
> cxf-rt-rs-json-basic(version:3.4.0) and bzip2(version:1.0.6). There are many
> vulnerabilities, like
> CVE-2020-13954,CVE-2021-22696,CVE-2021-30468,CVE-2018-8088,
> CVE-2021-21409,CVE-2021-35517 etc. please confirm these version and fix. thx
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
