[
https://issues.apache.org/jira/browse/FLINK-28637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17570097#comment-17570097
]
Gyula Fora edited comment on FLINK-28637 at 7/22/22 3:53 PM:
-------------------------------------------------------------
Personally I am not extremely confident in simply swapping out a HttpClient
implementation and releasing it with only minimal testing. The current JOSDK,
fabric8, okhttp clients have been tested in various cloud environments for
weeks/months.
It would be a real shame to introduce instability or any other problems for
fixing a vulnaribility that cannot reasonable surface for the operator.
Especially by doing a last minute change like that.
Please open a PR, we can merge this for the main/release-1.1 branches and
release a patch release after 1-2 weeks of testing.
was (Author: gyfora):
Personally I am not extremely confident in simply swapping out a HttpClient
implementation and releasing it with only minimal testing. The current JOSDK,
fabric8, okhttp clients have been tested in various cloud environments for
weeks/months.
It would be a real shame to introduce unstability or any other problems for
fixing a vulnaribility that cannot reasonable surface for the operator.
Especially by doing a last minute change like that.
Please open a PR, we can merge this for the main/release-1.1 branches and
release a patch release after 1-2 weeks of testing.
> High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar
> ----------------------------------------------------------------
>
> Key: FLINK-28637
> URL: https://issues.apache.org/jira/browse/FLINK-28637
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.1.0
> Reporter: James Busche
> Priority: Major
>
> I noticed a high vulnerability in the
> flink-kubernetes-operator-1.1.0-shaded.jar file.
> =======
> cvss: 7.5
> riskFactors: Has fix,High severity
> cve: PRISMA-2022-0239
> link: https://github.com/square/okhttp/issues/6738
> status: fixed in 4.9.2
> packagePath:
> /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar
> description: com.squareup.okhttp3_okhttp packages prior to version 4.9.2 are
> vulnerable for sensitive information disclosure. An illegal character in a
> header value will cause IllegalArgumentException which will include full
> header value. This applies to Authorization, Cookie, Proxy-Authorization and
> Set-Cookie headers.
> =======
> It looks like we're using version 3.12.12, and there's no plans to provide
> this fix for the 3.x version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
