[
https://issues.apache.org/jira/browse/FLINK-29710?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martijn Visser closed FLINK-29710.
----------------------------------
Fix Version/s: 1.17.0
Resolution: Fixed
Fixed in master:
[FLINK-29710][Filesystem] Bump minimum supported Hadoop version to 2.10.2:
573ed922346c791760d27653543c2b8df56f51f7
[FLINK-29710][Hadoop/Hive] Exclude Reload4J from all Hadoop and Hive
dependencies:
a9151c42100ec09388d8052c7aa9f77f82efe469
[hotfix] Sync English version of gcs.md to Chinese version due to being
out-of-sync: 627d293b6938f9f9e6ceca6dfef3a3ff42b9de39
> Upgrade the minimal supported hadoop version to 2.10.2
> ------------------------------------------------------
>
> Key: FLINK-29710
> URL: https://issues.apache.org/jira/browse/FLINK-29710
> Project: Flink
> Issue Type: Technical Debt
> Components: FileSystems
> Reporter: Martijn Visser
> Assignee: Martijn Visser
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.17.0
>
>
> Hadoop 2.8.5 is vulnerable for multiple CVEs such as
> https://nvd.nist.gov/vuln/detail/CVE-2022-25168 and
> https://nvd.nist.gov/vuln/detail/CVE-2022-26612 which are classified as
> Critical. While Flink is not directly impacted by those, we do see
> vulnerability scanners flag Flink as being vulnerable. We could easily
> mitigate that by bumping the minimal supported version of Hadoop to 2.10.2.
> Please note that this doesn't break the binary protocol compatibility, which
> means that 2.10.2 client can still talk to older servers.
> Discussion thread:
> https://lists.apache.org/thread/tgw2dmnoxm7sdwyjohskmvpk3pdd3qvm
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
