[jira] [Commented] (FLINK-24025) The components on which Flink depends may contain vulnerabilities. If yes, fix them.
[ https://issues.apache.org/jira/browse/FLINK-24025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17406150#comment-17406150 ] Chesnay Schepler commented on FLINK-24025: -- I see; that issue may be fixed in 1.14.0. > The components on which Flink depends may contain vulnerabilities. If yes, > fix them. > > > Key: FLINK-24025 > URL: https://issues.apache.org/jira/browse/FLINK-24025 > Project: Flink > Issue Type: Improvement > Components: Build System >Affects Versions: 1.11.3 >Reporter: mixedfruit >Priority: Minor > > In Flink v1.11.3 contains netty(version:3.10.6) > commons-compress(version:1.20) slf4j(version:1.7.15) > cxf-rt-rs-json-basic(version:3.4.0) and bzip2(version:1.0.6). There are many > vulnerabilities, like > CVE-2020-13954,CVE-2021-22696,CVE-2021-30468,CVE-2018-8088, > CVE-2021-21409,CVE-2021-35517 etc. please confirm these version and fix. thx -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FLINK-24025) The components on which Flink depends may contain vulnerabilities. If yes, fix them.
[ https://issues.apache.org/jira/browse/FLINK-24025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17406085#comment-17406085 ] mixedfruit commented on FLINK-24025: bzip2 : CVE-2019-12900 and cve-2016-3189 from librocksdbjni-linux-ppc64le.so , librocksdbjni-linux64.so, librocksdbjni-osx.jnilib and librocksdbjni-linux32.so > The components on which Flink depends may contain vulnerabilities. If yes, > fix them. > > > Key: FLINK-24025 > URL: https://issues.apache.org/jira/browse/FLINK-24025 > Project: Flink > Issue Type: Improvement > Components: Build System >Affects Versions: 1.11.3 >Reporter: mixedfruit >Priority: Minor > > In Flink v1.11.3 contains netty(version:3.10.6) > commons-compress(version:1.20) slf4j(version:1.7.15) > cxf-rt-rs-json-basic(version:3.4.0) and bzip2(version:1.0.6). There are many > vulnerabilities, like > CVE-2020-13954,CVE-2021-22696,CVE-2021-30468,CVE-2018-8088, > CVE-2021-21409,CVE-2021-35517 etc. please confirm these version and fix. thx -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FLINK-24025) The components on which Flink depends may contain vulnerabilities. If yes, fix them.
[ https://issues.apache.org/jira/browse/FLINK-24025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17405857#comment-17405857 ] Chesnay Schepler commented on FLINK-24025: -- * commons-compress: FLINK-24034 * slf4j: Either you are referencing a vulnerability which only applies to slf4j-ext in which case it doesn't apply to Flink (see FLINK-23444), or some other vulnerability in which case you should upgrade to 1.14.0 once it is released (see FLINK-22407). * netty: Will not be upgraded for technical reasons. * cxf-rt-rs-json-basic: I've never heard of this dependency so it's unlikely to come from Flink. Please specify where exactly you found it. * bzip2: Please specify where exactly you found this dependency. > The components on which Flink depends may contain vulnerabilities. If yes, > fix them. > > > Key: FLINK-24025 > URL: https://issues.apache.org/jira/browse/FLINK-24025 > Project: Flink > Issue Type: Improvement > Components: Build System >Affects Versions: 1.11.3 >Reporter: mixedfruit >Priority: Minor > > In Flink v1.11.3 contains netty(version:3.10.6) > commons-compress(version:1.20) slf4j(version:1.7.15) > cxf-rt-rs-json-basic(version:3.4.0) and bzip2(version:1.0.6). There are many > vulnerabilities, like > CVE-2020-13954,CVE-2021-22696,CVE-2021-30468,CVE-2018-8088, > CVE-2021-21409,CVE-2021-35517 etc. please confirm these version and fix. thx -- This message was sent by Atlassian Jira (v8.3.4#803005)