[jira] [Commented] (FLINK-21546) Upgrade io.netty netty-codec in Flink (four findings)

Mon, 08 Mar 2021 07:48:07 -0800 


    [ 
https://issues.apache.org/jira/browse/FLINK-21546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17297475#comment-17297475
 ] 

Adam Roberts commented on FLINK-21546:
--------------------------------------

This has been closed but I've actually done a scan today against Flink 1.12.2 
and 1.13 snapshot (building it myself) and I see 

 

"link": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20445";,
 "type": "image",
 "layerTime": 1615203557,
 "templates": [],
 "twistlock": false,
 "published": 1580332500,
 "discovered": "0001-01-01T00:00:00Z",
 "severityCHML": "C",
 "packageName": "io.netty_netty-codec",
 "packageVersion": "4.1.42.Final",
 "packageBinaryPkgs": [],
 "packageType": "jar",
 "packagePath": "/opt/flink/opt/flink-python_2.11-1.13-SNAPSHOT.jar",

 

still, with a suggestion to move up to netty 4.1.44. Any thoughts on this one? 
Am I right in assuming it requires 
https://issues.apache.org/jira/browse/FLINK-21021 because of the beam upgrade 
required?

> Upgrade io.netty netty-codec in Flink (four findings)
> -----------------------------------------------------
>
>                 Key: FLINK-21546
>                 URL: https://issues.apache.org/jira/browse/FLINK-21546
>             Project: Flink
>          Issue Type: Bug
>            Reporter: Adam Roberts
>            Priority: Major
>
> Hi everyone, have been raising plenty of JIRAs after doing a Twistlock 
> container scan for Flink 1.11.3 and Hadoop 3.3.1 snapshot, for Flink itself 
> (so without using Hadoop) I've noticed the following libraries in use 
> (unfortunately I don't get a path where, but somewhere in Flink they must be, 
> or in a dependent jar?).
>  
>  
> {"fixed in 
> 4.1.46","packageName":"io.netty_netty-codec","packageVersion":"4.1.34.Final"}
> }
> {"fixed in 
> 4.1.44","packageName":"io.netty_netty-codec","packageVersion":"4.1.34.Final"}
> }
> {"fixed in 
> 4.1.44","packageName":"io.netty_netty-codec","packageVersion":"4.1.34.Final"}
> }
> {fixed in 
> 4.1.42.Final","packageName":"io.netty_netty-codec","packageVersion":"4.1.34.Final"}
> }
>  
> https://issues.apache.org/jira/browse/HADOOP-17556 may be useful as well
> Could we move up to Netty 4.1.46 (or something even newer?) across everything 
> Flink's using? Again, I apologise for not having the paths to figure out what 
> exactly is using it, but perhaps folks working directly with Flink may have a 
> clue? Thanks
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to