[
https://issues.apache.org/jira/browse/FLINK-25694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17502991#comment-17502991
]
David Perkins commented on FLINK-25694:
---------------------------------------
I spoke too soon. The new presto release still doesn't have the updated Alluxio
client. The release must have been cut before that change went into master.
I'll keep an eye on it and open up a PR when it gets updated.
> GSON/Alluxio Vulnerability
> --------------------------
>
> Key: FLINK-25694
> URL: https://issues.apache.org/jira/browse/FLINK-25694
> Project: Flink
> Issue Type: Technical Debt
> Components: Connectors / FileSystem, FileSystems
> Affects Versions: 1.14.2
> Reporter: David Perkins
> Priority: Major
>
> GSON has a bug, which was fixed in 2.8.9, see
> [https://github.com/google/gson/pull/1991|https://github.com/google/gson/pull/1991.]
> This results in the possibility for DOS attacks.
> GSON is included in the `flink-s3-fs-presto` plugin, because Alluxio includes
> it in their shaded client. I've opened an issue in Alluxio:
> [https://github.com/Alluxio/alluxio/issues/14868]. When that is fixed, the
> plugin also needs to be updated.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
