spuru9 opened a new pull request, #28147:
URL: https://github.com/apache/flink/pull/28147
## What is the purpose of the change
Round-2 CVE bumps for Flink-controlled (non-Hadoop-transitive) Java
dependencies, continuing the cleanup pattern from FLINK-39580 / PR #28072. Each
change is either a bundled-dep version bump or a managed-pin update in the root
pom; all changes are scoped narrowly so the blast radius stays small.
Cross-checked against open PRs #27479 (FLINK-39148, kafka-connector) and
#27493 (FLINK-39147, guava): no overlap. PR #27479 touches the same file
(`flink-end-to-end-tests/flink-sql-client-test/pom.xml`) but on a different
dependency (`flink-sql-connector-kafka`, not the direct `kafka-clients` test
dep), so the two PRs will merge cleanly.
### CVEs cleared
| Dep | Change | CVE | Severity |
|---|---|---|---|
| `com.fasterxml.jackson.core:jackson-{core,databind,annotations}` | 2.15.2
→ 2.19.4 (bundled in `flink-model-triton`) | CVE-2025-52999 (jackson-core stack
overflow DoS on deeply nested JSON) | HIGH (8.7) |
| `org.apache.kafka:kafka-clients` | 3.2.3 → 3.9.2 (direct test-scope dep in
`flink-sql-client-test`) | CVE-2024-31141 (privilege escalation via
ConfigProvider) | MEDIUM |
| `org.apache.kafka:kafka-clients` | 3.2.3 → 3.9.2 (same) | CVE-2025-27817
(SSRF + arbitrary file read via SASL OAuth) | HIGH |
| `com.squareup.okhttp3:okhttp` | 3.7.0 → 3.14.9 (inherit root managed pin;
test scope in `flink-runtime`) | CVE-2018-20200 (CertificatePinner pinning
bypass) | MEDIUM |
| `org.apache.zookeeper:zookeeper` | 3.7.2 → 3.8.5 (root managed pin; pairs
with `flink-shaded-zookeeper-3 3.8.5-21.0`) | CVE-2024-23944 (information
disclosure in persistent-watcher ACL handling) | CRITICAL (rated) |
| `com.github.tomakehurst:wiremock-jre8` | 2.32.0 → 2.35.2 (test scope in
`flink-metrics-influxdb`) | CVE-2023-41327 (controlled SSRF in webhooks) | LOW |
| `com.github.tomakehurst:wiremock-jre8` | 2.32.0 → 2.35.2 (same) |
CVE-2023-41329 (DNS rebinding bypass in webhooks/proxy/recorder) | LOW |
## Brief change log
- `flink-models/flink-model-triton`: bump `jackson.version` 2.15.2 → 2.19.4;
refresh `META-INF/NOTICE` accordingly. (2.19.4 is the latest jackson line where
`core` / `databind` / `annotations` share a unified patch version — starting at
2.20, `jackson-annotations` decoupled from the others.)
- `flink-end-to-end-tests/flink-sql-client-test`: bump direct
`kafka-clients` test dep 3.2.3 → 3.9.2. `dependencyManagement` pin (2.2.2,
satisfies enforcer-plugin only) intentionally left as-is per the in-file
comment.
- `flink-runtime`: drop hardcoded `okhttp` 3.7.0 in test scope so it
inherits the root `${okhttp.version}` (3.14.9), clearing the 3.7.0-specific CVE
without otherwise touching the project-wide okhttp pin.
- root `pom.xml` + `FlinkTestcontainersConfigurator.java`: bump
`zookeeper.version` 3.7.2 → 3.8.5 and the matching testcontainer Docker tag
(per the in-pom comment). `flink-shaded-zookeeper-3:3.8.5-21.0` is already
published on Maven Central with the current `flink.shaded.version=21.0`;
verified by HTTP HEAD and `mvn dependency:resolve`.
- `flink-metrics/flink-metrics-influxdb`: bump test-scope `wiremock-jre8`
2.32.0 → 2.35.2.
## Verifying this change
This change is a dependency-version-only change and has no test coverage of
its own. Verified by:
- Built `./mvnw clean install -DskipTests -Drat.skip=true -Pskip-webui-build
-pl
flink-models/flink-model-triton,flink-end-to-end-tests/flink-sql-client-test,flink-runtime,flink-metrics/flink-metrics-influxdb,flink-test-utils-parent/flink-connector-test-utils
-am -T 1C` — 94 modules SUCCESS, 0 failures.
- Verified `flink-shaded-zookeeper-3:3.8.5-21.0` resolves cleanly (HTTP 200
on Maven Central jar + pom; `mvn dependency:resolve` succeeds).
- Confirmed each fixed CVE's fixed-version range covers the bumped target.
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): **yes** (the whole
purpose)
- The public API, i.e., is any changed class annotated with
`@Public(Evolving)`: no
- The serializers: no
- The runtime per-record code paths (performance sensitive): no
- Anything that affects deployment or recovery: JobManager (and its
components), Checkpointing, Kubernetes/Yarn, ZooKeeper: **yes — ZooKeeper
client minor bump (3.7.2 → 3.8.5)**, paired with the matching
`flink-shaded-zookeeper-3` build. Client/server compat is preserved within the
3.x line.
- The S3 file system connector: no
## Documentation
- Does this pull request introduce a new feature? no
- If yes, how is the feature documented? not applicable
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes (Claude Code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
