[
https://issues.apache.org/jira/browse/FLUME-3385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485148#comment-17485148
]
Lily Warner edited comment on FLUME-3385 at 2/1/22, 10:03 AM:
--------------------------------------------------------------
[~rgoers] -this issue is not a duplicate. This issue is about Jetty, a
transitive dependency of avro-ipc. The linked issue is about netty.-
-(What somewhat confuses the situation is that I also opened an issue for the
netty version, which *is* a duplicate)-
Edit: I missed that the linked issue did mention avro-ipc. My mistake
was (Author: dev-warner):
{-}{-}[~rgoers] -this issue is not a duplicate. This issue is about Jetty, a
transitive dependency of avro-ipc. The linked issue is about netty.-
-(What somewhat confuses the situation is that I also opened an issue for the
netty version, which *-is-* a duplicate)-
Edit: I missed that the linked issue did mention avro-ipc. My mistake
> flume-ng-sdk uses Avro-IPC version with vulnerable version of Jetty
> -------------------------------------------------------------------
>
> Key: FLUME-3385
> URL: https://issues.apache.org/jira/browse/FLUME-3385
> Project: Flume
> Issue Type: Dependency upgrade
> Affects Versions: 1.9.0
> Reporter: Lily Warner
> Priority: Major
> Fix For: 1.10.0
>
>
> Vulnerability: [https://nvd.nist.gov/vuln/detail/CVE-2011-4461]
> Need to upgrade to Avro IPC version
> [1.9.0|https://mvnrepository.com/artifact/org.apache.avro/avro-ipc/1.9.0] or
> later which does not depend on the vulnerable version of Jetty (it actually
> doesn't use Jetty at all)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
