[jira] [Updated] (FLINK-34541) Flink uses insecure http confluent endpoint in its build
[ https://issues.apache.org/jira/browse/FLINK-34541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] PJ Fanning updated FLINK-34541: --- Issue Type: Bug (was: Improvement) > Flink uses insecure http confluent endpoint in its build > > > Key: FLINK-34541 > URL: https://issues.apache.org/jira/browse/FLINK-34541 > Project: Flink > Issue Type: Bug > Components: Build System >Reporter: PJ Fanning >Priority: Major > > See > https://github.com/apache/flink/blob/641f4f4d0d0156b84bdb9ba528b1dd96f7ae9d9c/flink-end-to-end-tests/test-scripts/kafka-common.sh#L55 > Please use https instead. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (FLINK-34541) Flink uses insecure http confluent endpoint in its build
PJ Fanning created FLINK-34541: -- Summary: Flink uses insecure http confluent endpoint in its build Key: FLINK-34541 URL: https://issues.apache.org/jira/browse/FLINK-34541 Project: Flink Issue Type: Improvement Components: Build System Reporter: PJ Fanning See https://github.com/apache/flink/blob/641f4f4d0d0156b84bdb9ba528b1dd96f7ae9d9c/flink-end-to-end-tests/test-scripts/kafka-common.sh#L55 Please use https instead. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (FLINK-33505) switch away from using netty 3 based Pekko Classic Remoting
PJ Fanning created FLINK-33505: -- Summary: switch away from using netty 3 based Pekko Classic Remoting Key: FLINK-33505 URL: https://issues.apache.org/jira/browse/FLINK-33505 Project: Flink Issue Type: Improvement Reporter: PJ Fanning It is my understanding that Flink uses the Netty 3 based Pekko Classic Remoting. Netty 3 has a lot of security issues. It will be months before Pekko 1.1.0 is released but that switches Classic Remoting to use Netty 4. Akka and Pekko actually recommend that users switch to using Artery based communications. Even if you wait for Pekko 1.1.0, the new Netty 4 based classic remoting will need to be tested. There is also the option of dropping Pekko - FLINK-29281 If you don't want to try Artery and don't want to wait for Pekko 1.1.0, you might be able to copy over 5 classes that add Netty 4 support and update your application.conf. This would be approximately https://github.com/apache/incubator-pekko/pull/778. There is a bit more work to do in terms of debugging the test failure and it seems that this change is unlikely to be merged back to the Pekko 1.0.x line. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FLINK-25240) Update log4j2 version to 2.15.0
[ https://issues.apache.org/jira/browse/FLINK-25240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17456950#comment-17456950 ] PJ Fanning commented on FLINK-25240: 2.15.0 is released to maven central - https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/ > Update log4j2 version to 2.15.0 > > > Key: FLINK-25240 > URL: https://issues.apache.org/jira/browse/FLINK-25240 > Project: Flink > Issue Type: Bug > Components: API / Core >Affects Versions: 1.14.0 >Reporter: Ada Wong >Priority: Blocker > > 2.0 <= Apache log4j2 <= 2.14.1 have a RCE zero day. > [https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html] > https://www.lunasec.io/docs/blog/log4j-zero-day/ -- This message was sent by Atlassian Jira (v8.20.1#820001)
