[ https://issues.apache.org/jira/browse/HADOOP-17556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Adam Roberts updated HADOOP-17556: ---------------------------------- Description: Hi everyone, have been raising a few JIRAs recently related to dependencies in Flink and Hadoop, and for Hadoop I have noticed the following versions of Netty in use. I'm wondering if we can work to upgrade these (potentially all to the same version) to remediate any CVEs we have. Here's what the Twistlock container scan picked up (so, this is Flink with Hadoop 3.3.1 snapshot, which I've scanned), so any thoughts or upgrade ideas would be most welcome. "version": "3.10.6.Final" "name": "io.netty_netty" "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar" "version": "4.1.50.Final" "name": "io.netty_netty-all" "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar" "version": "4.1.42.Final" "name": "io.netty_netty-codec" "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar" The latest 4.1 Netty I see is {{[https://mvnrepository.com/artifact/io.netty/netty-all/4.1.59.Final]}} which may help with the above findings (assume things are all compatible!), thanks was: Hi everyone, have been raising a few JIRAs recently related to dependencies in Flink and Hadoop, and for Hadoop I have noticed the following versions of Netty in use. I'm wondering if we can work to upgrade these (potentially all to the same version) to remediate any CVEs we have. Here's what the Twistlock container scan picked up (so, this is Flink with Hadoop 3.3.1 snapshot, which I've scanned), so any thoughts or upgrade ideas would be most welcome! {{{{ }}{{"version": "3.10.6.Final",}}}} {{ \{{ "name": "io.netty_netty",}}}} {{ \{{ "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar" },}}}}}}{{{\{ "version": "4.1.50.Final",}}}} {{ \{{ "name": "io.netty_netty-all",}}}} {{ \{{ "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"},}}}}}}{{{\{ "version": "4.1.42.Final",}}}} {{ \{{ "name": "io.netty_netty-codec",}}}} {{ \{{ "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar" },}}}}}} The latest 4.1 Netty I see is {{[https://mvnrepository.com/artifact/io.netty/netty-all/4.1.59.Final]}} which may help with the above findings (assume things are all compatible!), thanks > Understanding Netty versions and upgrading them (three findings in Hadoop we > could upgrade?) > -------------------------------------------------------------------------------------------- > > Key: HADOOP-17556 > URL: https://issues.apache.org/jira/browse/HADOOP-17556 > Project: Hadoop Common > Issue Type: Bug > Reporter: Adam Roberts > Priority: Major > > Hi everyone, have been raising a few JIRAs recently related to dependencies > in Flink and Hadoop, and for Hadoop I have noticed the following versions of > Netty in use. I'm wondering if we can work to upgrade these (potentially all > to the same version) to remediate any CVEs we have. > > Here's what the Twistlock container scan picked up (so, this is Flink with > Hadoop 3.3.1 snapshot, which I've scanned), so any thoughts or upgrade ideas > would be most welcome. > > "version": "3.10.6.Final" > "name": "io.netty_netty" > "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar" > > "version": "4.1.50.Final" > "name": "io.netty_netty-all" > "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar" > > "version": "4.1.42.Final" > "name": "io.netty_netty-codec" > "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar" > > The latest 4.1 Netty I see is > {{[https://mvnrepository.com/artifact/io.netty/netty-all/4.1.59.Final]}} > > which may help with the above findings (assume things are all compatible!), > thanks > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org