[
https://issues.apache.org/jira/browse/FLINK-34955?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17834681#comment-17834681
]
Shilun Fan commented on FLINK-34955:
------------------------------------
[~gongzhongqiang] From my personal perspective, I believe upgrading to version
1.26.0 should be sufficient as this version has already fixed the CVE issue. As
for upgrading to 1.26.1, I think we can consider it after some time. Removing
commons-codec might prove to be challenging because Flink has dependencies on
Hadoop and HBase (both of which directly depend on commons-codec). If we remove
commons-codec, it may result in the Hadoop and HBase modules being unable to
compile successfully.
> Upgrade commons-compress to 1.26.0
> ----------------------------------
>
> Key: FLINK-34955
> URL: https://issues.apache.org/jira/browse/FLINK-34955
> Project: Flink
> Issue Type: Improvement
> Reporter: Shilun Fan
> Assignee: Shilun Fan
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.18.2, 1.20.0, 1.19.1
>
>
> commons-compress 1.24.0 has CVE issues, try to upgrade to 1.26.0, we can
> refer to the maven link
> https://mvnrepository.com/artifact/org.apache.commons/commons-compress
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
