[ https://issues.apache.org/jira/browse/FLINK-3154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539097#comment-17539097 ]
Himanshu Shah commented on FLINK-3154: -------------------------------------- An open vulnerability due to no class whitelisting in versions prior to kryo 5.0.0 is flagged up a a security risk for flink. [https://github.com/EsotericSoftware/kryo/issues/398] Is there a plan to upgrade to a newer version of kryo to remediate? > Update Kryo version from 2.24.0 to 5.2.0 > ---------------------------------------- > > Key: FLINK-3154 > URL: https://issues.apache.org/jira/browse/FLINK-3154 > Project: Flink > Issue Type: Improvement > Components: API / Type Serialization System > Affects Versions: 1.0.0 > Reporter: Maximilian Michels > Priority: Not a Priority > > Flink's Kryo version is outdated and could be updated to a newer version, > e.g. kryo-3.0.3. > From ML: we cannot bumping the Kryo version easily - the serialization format > changed (that's why they have a new major version), which would render all > Flink savepoints and checkpoints incompatible. -- This message was sent by Atlassian Jira (v8.20.7#820007)