[
https://issues.apache.org/jira/browse/FLINK-39670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Purushottam Sinha updated FLINK-39670:
--------------------------------------
Description:
Several Flink-controlled Java dependencies have known CVEs requiring updates:
- kafka-clients 3.2.3 (direct test-scope dep in flink-sql-client-test) contains
CVE-2024-31141, CVE-2025-27817
- okhttp 3.7.0 (hardcoded test-scope override in flink-runtime) contains
CVE-2018-20200
- wiremock-jre8 2.32.0 (test-scope in flink-metrics-influxdb) contains
CVE-2023-41327, CVE-2023-41329
*Proposed updates:*
- Bump kafka-clients to 3.9.2 in flink-sql-client-test (direct test-scope dep)
- Drop the hardcoded okhttp 3.7.0 in flink-runtime so it inherits
${okhttp.version} (3.14.9) from the root pom
- Bump wiremock-jre8 to 2.35.2 in flink-metrics-influxdb
*Out of scope:*
CVEs that come in via Hadoop / Alluxio / kubernetes-client transitives.
Predecessor: https://issues.apache.org/jira/browse/FLINK-39580
was:
Several Flink-controlled Java dependencies have known CVEs requiring updates:
- kafka-clients 3.2.3 (direct test-scope dep in flink-sql-client-test) contains
CVE-2024-31141, CVE-2025-27817
- okhttp 3.7.0 (hardcoded test-scope override in flink-runtime) contains
CVE-2018-20200
- zookeeper 3.7.2 (root pom managed pin) contains CVE-2024-23944
- wiremock-jre8 2.32.0 (test-scope in flink-metrics-influxdb) contains
CVE-2023-41327, CVE-2023-41329
*Proposed updates:*
- Bump kafka-clients to 3.9.2 in flink-sql-client-test (direct test-scope dep)
- Drop the hardcoded okhttp 3.7.0 in flink-runtime so it inherits
${okhttp.version} (3.14.9) from the root pom
- Bump zookeeper.version to 3.8.5 (pairs with flink-shaded-zookeeper-3
3.8.5-21.0, already published on Maven Central); update the matching
testcontainer Docker tag in FlinkTestcontainersConfigurator per the in-pom
"keep in sync" comment
- Bump wiremock-jre8 to 2.35.2 in flink-metrics-influxdb
*Out of scope:*
CVEs that come in via Hadoop / Alluxio / kubernetes-client transitives.
Predecessor: https://issues.apache.org/jira/browse/FLINK-39580
> Bump Flink-controlled Java dependencies to resolve CVEs Part 2
> (kafka-clients, okhttp, zookeeper, wiremock)
> -----------------------------------------------------------------------------------------------------------
>
> Key: FLINK-39670
> URL: https://issues.apache.org/jira/browse/FLINK-39670
> Project: Flink
> Issue Type: Improvement
> Reporter: Purushottam Sinha
> Priority: Major
> Labels: security
>
> Several Flink-controlled Java dependencies have known CVEs requiring updates:
> - kafka-clients 3.2.3 (direct test-scope dep in flink-sql-client-test)
> contains CVE-2024-31141, CVE-2025-27817
>
> - okhttp 3.7.0 (hardcoded test-scope override in flink-runtime) contains
> CVE-2018-20200
> - wiremock-jre8 2.32.0 (test-scope in flink-metrics-influxdb) contains
> CVE-2023-41327, CVE-2023-41329
>
>
>
> *Proposed updates:*
> - Bump kafka-clients to 3.9.2 in flink-sql-client-test (direct test-scope
> dep)
>
> - Drop the hardcoded okhttp 3.7.0 in flink-runtime so it inherits
> ${okhttp.version} (3.14.9) from the root pom
>
>
> - Bump wiremock-jre8 to 2.35.2 in flink-metrics-influxdb
>
>
>
>
>
> *Out of scope:*
> CVEs that come in via Hadoop / Alluxio / kubernetes-client transitives.
> Predecessor: https://issues.apache.org/jira/browse/FLINK-39580
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
