Hi Hong,
We were facing exactly the same guava issues and after analyzing those
CVEs, we got the same conclusion as what Chesnay mentioned.
Best regards,
Jing
On Fri, Feb 2, 2024 at 10:18 AM Chesnay Schepler wrote:
> Guava CVEs don't apply because it's all about using it's createTempDir
>
Guava CVEs don't apply because it's all about using it's createTempDir
method which we don't use.
Zookeeper CVE doesn't really apply because it's a server-side issue.
On 02/02/2024 09:42, Martijn Visser wrote:
To add to this: we can't upgrade to flink-shaded 18.0, since we've just
reverted
To add to this: we can't upgrade to flink-shaded 18.0, since we've just
reverted that for Flink 1.19 because of the performance regression. We will
need a new flink-shaded version to deal with these performance regressions.
On Fri, Feb 2, 2024 at 9:39 AM Martijn Visser
wrote:
> Hi Hong,
>
> I
Hi Hong,
I do have objections: upgrading Flink-Shaded in a patch version is
something that we should not take lightly, since it involves components
that are used in the core functionality of Flink. We've seen in the past
that changes in Flink Shaded have an impact on stability and performance. I
Hi all,
Recently, we detected some active CVEs on the flink-shaded-guava and
flink-shaded-zookeeper package used in Flink 1.18. Since Flink 1.18 is
still in support for security fixes, we should consider fixing this.
However, since the vulnerable package is coming from flink-shaded, I wanted
to