This is an automated email from the ASF dual-hosted git repository.
damccorm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git
The following commit(s) were added to refs/heads/master by this push:
new 59640281c9c Call out fixed security vulnerabilities (#28400)
59640281c9c is described below
commit 59640281c9cc1fefac6b1f5a865fc23e3e3ab938
Author: Danny McCormick <dannymccorm...@google.com>
AuthorDate: Mon Sep 11 21:14:21 2023 -0400
Call out fixed security vulnerabilities (#28400)
* Call out fixed security vulnerabilities
These will get automatically picked up when we pick up the new
`python:3.XX-bullseye` images which have upgraded their debian versions already
(for example
https://hub.docker.com/layers/library/python/3.9-bullseye/images/sha256-d7e28b2648cb4611a94f068d92a236e7faaf6edb7589e01c09c1c16035c26d0a?context=explore
has debian/aom 1.0.0.errata1-3+deb11u1 which has the fix). I confirmed that
all 4 versions 3.<8, 9, 10, and 11> have the fix.
* Add to blog
---
CHANGES.md | 3 ++-
website/www/site/content/en/blog/beam-2.50.0.md | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/CHANGES.md b/CHANGES.md
index e9a3044b6ea..b9ad4718645 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -83,7 +83,7 @@
* Fixed X (Java/Python) ([#X](https://github.com/apache/beam/issues/X)).
## Security Fixes
-* Fixed (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN]
(Java/Python/Go) ([#X](https://github.com/apache/beam/issues/X)).
+* Python containers updated, fixing
[CVE-2021-30474](https://nvd.nist.gov/vuln/detail/CVE-2021-30474),
[CVE-2021-30475](https://nvd.nist.gov/vuln/detail/CVE-2021-30475),
[CVE-2021-30473](https://nvd.nist.gov/vuln/detail/CVE-2021-30473),
[CVE-2020-36133](https://nvd.nist.gov/vuln/detail/CVE-2020-36133),
[CVE-2020-36131](https://nvd.nist.gov/vuln/detail/CVE-2020-36131),
[CVE-2020-36130](https://nvd.nist.gov/vuln/detail/CVE-2020-36130), and
[CVE-2020-36135](https://nvd.nist.gov/vuln/detail/ [...]
## Known Issues
@@ -146,6 +146,7 @@
* Long-running Python pipelines might experience a memory leak:
[#28246](https://github.com/apache/beam/issues/28246).
* Python Pipelines using BigQuery IO or `orjson` dependency might experience
segmentation faults or get stuck:
[#28318](https://github.com/apache/beam/issues/28318).
+* Beam Python containers rely on a version of Debian/aom that has several
security vulnerabilities:
[CVE-2021-30474](https://nvd.nist.gov/vuln/detail/CVE-2021-30474),
[CVE-2021-30475](https://nvd.nist.gov/vuln/detail/CVE-2021-30475),
[CVE-2021-30473](https://nvd.nist.gov/vuln/detail/CVE-2021-30473),
[CVE-2020-36133](https://nvd.nist.gov/vuln/detail/CVE-2020-36133),
[CVE-2020-36131](https://nvd.nist.gov/vuln/detail/CVE-2020-36131),
[CVE-2020-36130](https://nvd.nist.gov/vuln/detail/CVE-202 [...]
# [2.49.0] - 2023-07-17
diff --git a/website/www/site/content/en/blog/beam-2.50.0.md
b/website/www/site/content/en/blog/beam-2.50.0.md
index 7610459087c..4cfddd6167a 100644
--- a/website/www/site/content/en/blog/beam-2.50.0.md
+++ b/website/www/site/content/en/blog/beam-2.50.0.md
@@ -77,6 +77,7 @@ For more information on changes in 2.50.0, check out the
[detailed release notes
* Fixed DirectRunner bug in Python SDK where GroupByKey gets empty PCollection
and fails when pipeline option
`direct_num_workers!=1`.([#27373](https://github.com/apache/beam/pull/27373))
* Fixed BigQuery I/O bug when estimating size on queries that utilize
row-level security ([#27474](https://github.com/apache/beam/pull/27474))
+* Beam Python containers rely on a version of Debian/aom that has several
security vulnerabilities:
[CVE-2021-30474](https://nvd.nist.gov/vuln/detail/CVE-2021-30474),
[CVE-2021-30475](https://nvd.nist.gov/vuln/detail/CVE-2021-30475),
[CVE-2021-30473](https://nvd.nist.gov/vuln/detail/CVE-2021-30473),
[CVE-2020-36133](https://nvd.nist.gov/vuln/detail/CVE-2020-36133),
[CVE-2020-36131](https://nvd.nist.gov/vuln/detail/CVE-2020-36131),
[CVE-2020-36130](https://nvd.nist.gov/vuln/detail/CVE-202 [...]
## Known Issues
