[
https://issues.apache.org/jira/browse/FLINK-18841?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chesnay Schepler closed FLINK-18841.
------------------------------------
Resolution: Later
The table planner already uses guava 29.0-jre. We can bump the flink-shaded
version at some point; at the moment it is not a priority.
> CVE-2018-10237 and CWE-400 occurred in flink dependency
> --------------------------------------------------------
>
> Key: FLINK-18841
> URL: https://issues.apache.org/jira/browse/FLINK-18841
> Project: Flink
> Issue Type: Bug
> Components: Table SQL / Planner
> Affects Versions: 1.11.1
> Environment: flink:1.11.1
> scala:2.11
> Reporter: Jeff Hu
> Priority: Major
>
> CVE-2018-10237 and CWE-400 caused by the jar {{com.google.guava:guava:18.0}}
> depended in {{flink-shaded-guava-18.0-6.0.jar}} & {{
> flink-table-planner_2.11-1.11.1.jar}}. Since that these dependencies are
> internal reference from flink.
> [https://github.com/apache/flink/blob/master/pom.xml]
> |<!-- WARN:|
> | DO NOT put guava,|
> | protobuf,|
> | asm,|
> | netty|
> | here. It will overwrite Hadoop's guava dependency (even though we handle it|
> | separatly in the flink-shaded-hadoop-2 dependency).|
> | -->|
> |<dependencies>|
> | |
> |<dependency>|
> |<groupId>org.apache.flink</groupId>|
> |<artifactId>flink-shaded-asm-7</artifactId>|
> |<version>7.1-${flink.shaded.version}</version>|
> |</dependency>|
> | |
> |<dependency>|
> |<groupId>org.apache.flink</groupId>|
> |<artifactId>flink-shaded-guava</artifactId>|
> |<version>18.0-${flink.shaded.version}</version>|
> </dependency>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
