+1 (binding) Successfully verified the following: - Checksums and gpg signatures - No binaries in source release - Build from source, build image from source - Helm Repo works, Helm install works - Notice files look good - Upgraded a cluster from 1.0.0 and run some examples
Specifically for FLINK-28637< https://issues.apache.org/jira/browse/FLINK-28637>: Thank you for reporting it, Jim. Fortunately both the Fabric8 and the JOSDK community was very responsive, this gives a path for fixing this. However given the following: 1. The HTTP client is internal to the operator, this vulnerability is very unlikely to affect it, 2. We also need to bump the dependency within the Flink native k8s integration, 3. We need extensive testing to make sure the new dependency version behaves properly, My suggestion is to release 1.1.0 with this as a known issue and fix it in 1.1.1. That said we can merge a fix for it to the release-1.1 as soon as possible, so folks who are prohibited to use the 1.1.0 version can roll their own image from source. On Thu, Jul 21, 2022 at 6:33 PM Gyula Fóra <gyula.f...@gmail.com> wrote: > Thank you for flagging this Jim. I looked a little into this and it comes > from the fabric8 client, so it affects all current operator (and flink) > versions. > > I think it would be a bit risky for us to manually bump this dependency as > the usage is not controlled by us and it's hard to test for all the > consequences of this major version change in the http client. > Also it seems that this vulnerability would require direct user access to > the http client, which is not the case here. > > At this point I think we should not consider this a blocker, I have also > commented on the jira ticket. > > Gyula > > On Thu, Jul 21, 2022 at 6:27 PM Jim Busche <jbus...@us.ibm.com> wrote: > > > Thanks for the release > > > > I’m continuing to test and so far it’s looking good, but I found a high > > security vulnerability in the > > /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar > > file. I’ve created issue FLINK-28637< > > https://issues.apache.org/jira/browse/FLINK-28637> and seeing if I can > > successfully upgrade to the newer okhttp version. > > > > > > > > Thanks, Jim > > >
