[ https://issues.apache.org/jira/browse/BEAM-11227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306254#comment-17306254 ]
Tomo Suzuki commented on BEAM-11227: ------------------------------------ I'm ok this to be fixed in 2.30.0. (It's not blocking me) I saw Kenn's email about the vote passed for the vendored gRPC release and [https://search.maven.org/artifact/org.apache.beam/beam-vendor-grpc-1_36_0/0.1/jar] is available. I'll work on the PR today. > Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 > --------------------------------------------------------- > > Key: BEAM-11227 > URL: https://issues.apache.org/jira/browse/BEAM-11227 > Project: Beam > Issue Type: Bug > Components: build-system > Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0 > Reporter: Boury Mbodj > Assignee: Kenneth Knowles > Priority: P1 > Labels: apache-beam, beam > Fix For: 2.29.0 > > Time Spent: 44h 50m > Remaining Estimate: 0h > > *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: > 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0] > » > [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3] > uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a > privilege escalation vulnerability. This issue (CVE-2020-27216) was published > on 23/10/2020. > *+Affected Versions:+* > Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior > and 11.0.0.beta2 and prior. > *+Recommendation/+* *+Update Suggestion:+* > Update the Eclipse Jetty dependency to version 9.4.33.v20201020, > 10.0.0.beta3, 11.0.0.beta3 or later. > -- This message was sent by Atlassian Jira (v8.3.4#803005)