[jira] [Created] (FLINK-34575) Vulnerabilities in commons-compress 1.24.0; upgrade to 1.26.0 needed.

Adrian Vasiliu (Jira) Mon, 04 Mar 2024 07:28:29 -0800

Adrian Vasiliu created FLINK-34575:
--------------------------------------

             Summary: Vulnerabilities in commons-compress 1.24.0; upgrade to 
1.26.0 needed.
                 Key: FLINK-34575
                 URL: https://issues.apache.org/jira/browse/FLINK-34575
             Project: Flink
          Issue Type: Bug
    Affects Versions: 1.18.1
            Reporter: Adrian Vasiliu



Since Feb. 19, medium/high CVEs have been found for commons-compress 1.24.0:
[https://nvd.nist.gov/vuln/detail/CVE-2024-25710]
https://nvd.nist.gov/vuln/detail/CVE-2024-26308

[https://github.com/apache/flink/pull/24352] has been opened automatically on 
Feb. 21 by dependabot for bumping commons-compress to v1.26.0 which fixes the 
CVEs, but two CI checks are red on the PR.

Flink's dependency on commons-compress has been upgraded to v1.24.0 in Oct 2023 
(https://issues.apache.org/jira/browse/FLINK-33329).
v1.24.0 is the version currently in the master 
branch:[https://github.com/apache/flink/blob/master/pom.xml#L727-L729|https://github.com/apache/flink/blob/master/pom.xml#L727-L729).].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (FLINK-34575) Vulnerabilities in commons-compress 1.24.0; upgrade to 1.26.0 needed.

Reply via email to