[jira] [Closed] (FLINK-28714) Resolve CVEs from beam-vendor-grpc-1_26_0-0.3

Martijn Visser (Jira) Wed, 27 Jul 2022 04:27:10 -0700


     [ 
https://issues.apache.org/jira/browse/FLINK-28714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Martijn Visser closed FLINK-28714.
----------------------------------
    Resolution: Duplicate

> Resolve CVEs from beam-vendor-grpc-1_26_0-0.3
> ---------------------------------------------
>
>                 Key: FLINK-28714
>                 URL: https://issues.apache.org/jira/browse/FLINK-28714
>             Project: Flink
>          Issue Type: Bug
>          Components: API / Python
>    Affects Versions: 1.13.6
>            Reporter: Bilna
>            Priority: Major
>
> The following CVEs comes from the transient dependency, BouncyCastle:1.54 
> through Apache Beam dependency in flink-python.
> CVE-2018-1000180, 
> CVE-2016-1000352,
> CVE-2016-1000344, 
> CVE-2016-1000340, 
> CVE-2016-1000342, 
> CVE-2016-1000343, 
> CVE-2016-1000338
> The issue comes from beam-vendor-grpc-1_26_0-0.3. 
>  
> The latest Flink uses apache beam 2.38.0 and its BouncyCastle version is 
> 1.67. BouncyCastle should be of version 1.7 or greater
> grpc-Java:1.48.0 has removed BouncyCastle dependency.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Closed] (FLINK-28714) Resolve CVEs from beam-vendor-grpc-1_26_0-0.3

Reply via email to