Cameron created FLINK-39060:
-------------------------------
Summary: Bump Java depencies to resolve CVEs
Key: FLINK-39060
URL: https://issues.apache.org/jira/browse/FLINK-39060
Project: Flink
Issue Type: Improvement
Reporter: Cameron
The following dependencies contain CVEs:
* flink-connector-kafka 3.0.0-1.17 contains the following CVEs:
** [CVE-2025-27819|https://github.com/advisories/GHSA-mcwh-c9pg-xw43]
** [CVE-2025-27818|https://github.com/advisories/GHSA-76qp-h5mr-frr4]
** [CVE-2025-27817|https://github.com/advisories/GHSA-vgq5-3255-v292]
** [CVE-2024-56128|https://github.com/advisories/GHSA-p7c9-8xx8-h74f]
** [CVE-2024-31141|https://github.com/advisories/GHSA-2x2g-32r7-p4x8]
** [CVE-2023-44981|https://github.com/advisories/GHSA-7286-pgfv-vxvh]
* Guava 30.0-jre contains the following CVEs:
** [CVE-2023-2976|https://github.com/advisories/GHSA-7g45-4rm6-3mm3]
** [CVE-2020-8908|https://github.com/advisories/GHSA-5mg8-w23w-74h3]
* log4j-core 2.24.3 contains
[CVE-2025-68161|https://github.com/advisories/GHSA-vc5p-v9hr-52mj]
* lz4-java 1.8.0 has the following CVEs:
** [CVE-2025-66566|https://www.cve.org/CVERecord?id=CVE-2025-66566]
** [CVE-2025-12183|https://www.cve.org/CVERecord?id=CVE-2025-12183]
* commons-beanutil contains CVE-2025-48734
I am propossing the following dependency changes:
* Update flink-connector-kafka & flink-sql-connector-kafka to 4.0.1-2.0
* Update Guava to 32.0.1
* Update log4j to 2.25.3
* Update lz4-java to 1.10.3
* Update commons-beanutils to 1.11.0
This will also close the following Hotfix PRs:
* [https://github.com/apache/flink/pull/27479]
* [https://github.com/apache/flink/pull/27493]
* [https://github.com/apache/flink/pull/27512]
* [https://github.com/apache/flink/pull/27535]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
