[ https://issues.apache.org/jira/browse/BEAM-11227?focusedWorklogId=572654&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-572654 ]
ASF GitHub Bot logged work on BEAM-11227: ----------------------------------------- Author: ASF GitHub Bot Created on: 26/Mar/21 13:23 Start Date: 26/Mar/21 13:23 Worklog Time Spent: 10m Work Description: suztomo edited a comment on pull request #14295: URL: https://github.com/apache/beam/pull/14295#issuecomment-806071087 The latest Java preocommit timed out. No constant failures but I see this PR is more likely have timeout and (flaky) test failures than a PR with an empty change (https://github.com/apache/beam/pull/14307). Screenshot for comparision <img width="833" alt="Screen Shot 2021-03-24 at 14 39 12" src="https://user-images.githubusercontent.com/28604/112366244-f3f43c80-8cae-11eb-9ab5-05be75cbf708.png"> @amaliujia Do you happen to have some insight into this? Memo for myself. Maybe I can do a binary search between gRPC 1.26 and 1.36. For each version, I create a pull request and run Java Precommit 3 times. - gRPC 1.36.0: this PR (Bad) - gRPC 1.34: https://github.com/apache/beam/pull/14334 (Bad; failed on node 5, 8, 11) - gRPC 1.32.2: https://github.com/apache/beam/pull/14340 (Good; succeeded on node 5, 5, 11; failed on node 5) - gRPC 1.31: https://github.com/apache/beam/pull/14329 (Good; succeeded on node 5, 5, 11, 12; failed on node 5) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking ------------------- Worklog Id: (was: 572654) Time Spent: 76h 50m (was: 76h 40m) > Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 > --------------------------------------------------------- > > Key: BEAM-11227 > URL: https://issues.apache.org/jira/browse/BEAM-11227 > Project: Beam > Issue Type: Bug > Components: build-system > Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0 > Reporter: Boury Mbodj > Assignee: Kenneth Knowles > Priority: P1 > Labels: apache-beam, beam > Fix For: 2.29.0 > > Time Spent: 76h 50m > Remaining Estimate: 0h > > *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: > 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0] > » > [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3] > uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a > privilege escalation vulnerability. This issue (CVE-2020-27216) was published > on 23/10/2020. > *+Affected Versions:+* > Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior > and 11.0.0.beta2 and prior. > *+Recommendation/+* *+Update Suggestion:+* > Update the Eclipse Jetty dependency to version 9.4.33.v20201020, > 10.0.0.beta3, 11.0.0.beta3 or later. > -- This message was sent by Atlassian Jira (v8.3.4#803005)