[
https://issues.apache.org/jira/browse/FLINK-29654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martijn Visser closed FLINK-29654.
----------------------------------
Resolution: Invalid
[~nagasudhakar] Thanks for this but tickets like these aren't really helpful;
the fact that something is marked as vulnerable doesn't mean that Flink itself
is also vulnerable (because Flink might not use that specific part that has a
vulnerability). It also doesn't help in terms of updating, because we need to
link each updated dependency to an individual Jira ticket. Last but not least,
Flink master is the latest version which already has updated dependencies for
some of those listed here. It's not always possible to backport these since
they could include a breaking API change which can only be fixed in the next
Flink minor version
> Vulnerable libraries - Flink 1.15.2
> -----------------------------------
>
> Key: FLINK-29654
> URL: https://issues.apache.org/jira/browse/FLINK-29654
> Project: Flink
> Issue Type: Bug
> Components: Build System
> Affects Versions: 1.15.2
> Reporter: nagasudhakar
> Priority: Major
>
> Hi, our organisation ran a security scan on Flink-1.15.2 release and found
> the following vulnerable open source libraries being used -
> JDOM1.1
> kryo2.24.0
> libnetty-3.9-java3.9.0.Final
> Netty Project3.10.6.Final
> Play2.6.11
> Apache Tika1.28.1
> Apache Avro1.7.7
> Apache Kafka2.8.1
> The recommended versions for these libraries are -
> JDOM2.0.2
> kryo-5.5.0
> libnetty-3.9-java3.9.9.Final
> Netty Project 5.0.0.Final
> Play2.8.16
> Apache Tika2.4.1
> Apache Avro1.8.2
> Apache Kafka2.8.2
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
