[
https://issues.apache.org/jira/browse/FLINK-39670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Purushottam Sinha updated FLINK-39670:
--------------------------------------
Summary: Bump Flink-controlled Java dependencies to resolve CVEs Part 2
(kafka-clients, okhttp, wiremock) (was: Bump Flink-controlled Java
dependencies to resolve CVEs Part 2 (kafka-clients, okhttp, zookeeper,
wiremock))
> Bump Flink-controlled Java dependencies to resolve CVEs Part 2
> (kafka-clients, okhttp, wiremock)
> ------------------------------------------------------------------------------------------------
>
> Key: FLINK-39670
> URL: https://issues.apache.org/jira/browse/FLINK-39670
> Project: Flink
> Issue Type: Improvement
> Reporter: Purushottam Sinha
> Priority: Major
> Labels: security
>
> Several Flink-controlled Java dependencies have known CVEs requiring updates:
> - kafka-clients 3.2.3 (direct test-scope dep in flink-sql-client-test)
> contains CVE-2024-31141, CVE-2025-27817
>
> - okhttp 3.7.0 (hardcoded test-scope override in flink-runtime) contains
> CVE-2018-20200
> - wiremock-jre8 2.32.0 (test-scope in flink-metrics-influxdb) contains
> CVE-2023-41327, CVE-2023-41329
>
>
>
> *Proposed updates:*
> - Bump kafka-clients to 3.9.2 in flink-sql-client-test (direct test-scope
> dep)
>
> - Drop the hardcoded okhttp 3.7.0 in flink-runtime so it inherits
> ${okhttp.version} (3.14.9) from the root pom
>
>
> - Bump wiremock-jre8 to 2.35.2 in flink-metrics-influxdb
>
>
>
>
>
> *Out of scope:*
> CVEs that come in via Hadoop / Alluxio / kubernetes-client transitives.
> Predecessor: https://issues.apache.org/jira/browse/FLINK-39580
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
