[jira] [Commented] (FLINK-10303) Fix critical vulnerabilities Python API
[ https://issues.apache.org/jira/browse/FLINK-10303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17336583#comment-17336583 ] Flink Jira Bot commented on FLINK-10303: This issue was labeled "stale-major" 7 ago and has not received any updates so it is being deprioritized. If this ticket is actually Major, please raise the priority and ask a committer to assign you the issue or revive the public discussion. > Fix critical vulnerabilities Python API > --- > > Key: FLINK-10303 > URL: https://issues.apache.org/jira/browse/FLINK-10303 > Project: Flink > Issue Type: Improvement > Components: API / Python >Affects Versions: 1.6.0 >Reporter: Konstantin Knauf >Priority: Major > Labels: stale-major > > A user has reported two "critical" vulnerabilities in the Python API, which > we should probably fix: > * https://nvd.nist.gov/vuln/detail/CVE-2016-4000 > * https://cwe.mitre.org/data/definitions/384.html in > flink-streaming-python_2.11-1.6.0.jar <= pip-1.6-py2.py3-none-any.whl <= > sessions.py : [2.1.0, 2.6.0) > For users, who don't need the Python API, an easy work-around is exclude the > flink-streaming-python_2.11.jar from the distribution. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FLINK-10303) Fix critical vulnerabilities Python API
[ https://issues.apache.org/jira/browse/FLINK-10303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17328567#comment-17328567 ] Flink Jira Bot commented on FLINK-10303: This major issue is unassigned and itself and all of its Sub-Tasks have not been updated for 30 days. So, it has been labeled "stale-major". If this ticket is indeed "major", please either assign yourself or give an update. Afterwards, please remove the label. In 7 days the issue will be deprioritized. > Fix critical vulnerabilities Python API > --- > > Key: FLINK-10303 > URL: https://issues.apache.org/jira/browse/FLINK-10303 > Project: Flink > Issue Type: Improvement > Components: API / Python >Affects Versions: 1.6.0 >Reporter: Konstantin Knauf >Priority: Major > Labels: stale-major > > A user has reported two "critical" vulnerabilities in the Python API, which > we should probably fix: > * https://nvd.nist.gov/vuln/detail/CVE-2016-4000 > * https://cwe.mitre.org/data/definitions/384.html in > flink-streaming-python_2.11-1.6.0.jar <= pip-1.6-py2.py3-none-any.whl <= > sessions.py : [2.1.0, 2.6.0) > For users, who don't need the Python API, an easy work-around is exclude the > flink-streaming-python_2.11.jar from the distribution. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FLINK-10303) Fix critical vulnerabilities Python API
[ https://issues.apache.org/jira/browse/FLINK-10303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16613713#comment-16613713 ] Konstantin Knauf commented on FLINK-10303: -- [~Zentol] I think, this was done with Sonar. I just added the maven dependency check plugin to flink-streaming-python (https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html ). It finds CVE-2016-4000 as well, so could be used to verify. About the other one, I am not sure. It is not found by the OWASP dependency check as far as I can tell. It looks as if it is a vulnerability in `pip`, doesn't it? > Fix critical vulnerabilities Python API > --- > > Key: FLINK-10303 > URL: https://issues.apache.org/jira/browse/FLINK-10303 > Project: Flink > Issue Type: Improvement > Components: Python API >Affects Versions: 1.6.0 >Reporter: Konstantin Knauf >Priority: Major > > A user has reported two "critical" vulnerabilities in the Python API, which > we should probably fix: > * https://nvd.nist.gov/vuln/detail/CVE-2016-4000 > * https://cwe.mitre.org/data/definitions/384.html in > flink-streaming-python_2.11-1.6.0.jar <= pip-1.6-py2.py3-none-any.whl <= > sessions.py : [2.1.0, 2.6.0) > For users, who don't need the Python API, an easy work-around is exclude the > flink-streaming-python_2.11.jar from the distribution. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FLINK-10303) Fix critical vulnerabilities Python API
[ https://issues.apache.org/jira/browse/FLINK-10303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16607937#comment-16607937 ] Chesnay Schepler commented on FLINK-10303: -- How can I verify that bumping the version to 2.7.1 is not adding more security vulnerabilities? > Fix critical vulnerabilities Python API > --- > > Key: FLINK-10303 > URL: https://issues.apache.org/jira/browse/FLINK-10303 > Project: Flink > Issue Type: Improvement > Components: Python API >Affects Versions: 1.6.0 >Reporter: Konstantin Knauf >Priority: Major > > A user has reported two "critical" vulnerabilities in the Python API, which > we should probably fix: > * https://nvd.nist.gov/vuln/detail/CVE-2016-4000 > * https://cwe.mitre.org/data/definitions/384.html in > flink-streaming-python_2.11-1.6.0.jar <= pip-1.6-py2.py3-none-any.whl <= > sessions.py : [2.1.0, 2.6.0) > For users, who don't need the Python API, an easy work-around is exclude the > flink-streaming-python_2.11.jar from the distribution. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (FLINK-10303) Fix critical vulnerabilities Python API
[ https://issues.apache.org/jira/browse/FLINK-10303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16607869#comment-16607869 ] vinoyang commented on FLINK-10303: -- cc [~Zentol] Maybe this issue deserves our attention? > Fix critical vulnerabilities Python API > --- > > Key: FLINK-10303 > URL: https://issues.apache.org/jira/browse/FLINK-10303 > Project: Flink > Issue Type: Improvement > Components: Python API >Affects Versions: 1.6.0 >Reporter: Konstantin Knauf >Priority: Major > > A user has reported two "critical" vulnerabilities in the Python API, which > we should probably fix: > * https://nvd.nist.gov/vuln/detail/CVE-2016-4000 > * https://cwe.mitre.org/data/definitions/384.html in > flink-streaming-python_2.11-1.6.0.jar <= pip-1.6-py2.py3-none-any.whl <= > sessions.py : [2.1.0, 2.6.0) > For users, who don't need the Python API, an easy work-around is exclude the > flink-streaming-python_2.11.jar from the distribution. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)