[
https://issues.apache.org/jira/browse/FLINK-29319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605747#comment-17605747
]
Sergey Nuyanzin commented on FLINK-29319:
-----------------------------------------
Just want to clarify that this functions mentioned in CVE {{EXISTS_NODE}},
{{EXTRACT_XML}}, {{XML_TRANSFORM}} or {{EXTRACT_VALUE}} are specific for
Oracle/MySql dialect and neither them nor
{{org.apache.calcite.runtime.XmlFunctions}} where they are defined and where
the CVE was detected/fixed[1] not used in Flink.
So this CVE should not impact Flink
[1] https://github.com/apache/calcite/pull/2892/files
> Upgrade Calcite version to 1.32
> -------------------------------
>
> Key: FLINK-29319
> URL: https://issues.apache.org/jira/browse/FLINK-29319
> Project: Flink
> Issue Type: Improvement
> Components: Table SQL / API, Table SQL / Planner
> Reporter: Martijn Visser
> Priority: Major
>
> {code}
> This release fixes CVE-2022-39135, an XML External Entity (XEE) vulnerability
> that allows a SQL query to read the contents of files via the SQL functions
> EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM or EXTRACT_VALUE.
> Coming 1 month after 1.31.0 with 19 issues fixed by 17 contributors, this
> release also replaces the ESRI spatial engine with JTS and proj4j, adds 65
> spatial SQL functions including ST_Centroid, ST_Covers and
> ST_GeomFromGeoJSON, adds the CHAR SQL function, and improves the return type
> of the ARRAY and MULTISET functions.{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
