You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Martijn Visser (Jira)" <ji...@apache.org> on 2022/07/27 11:27:00 UTC

[jira] [Closed] (FLINK-28714) Resolve CVEs from beam-vendor-grpc-1_26_0-0.3

     [ https://issues.apache.org/jira/browse/FLINK-28714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martijn Visser closed FLINK-28714.
----------------------------------
    Resolution: Duplicate

> Resolve CVEs from beam-vendor-grpc-1_26_0-0.3
> ---------------------------------------------
>
>                 Key: FLINK-28714
>                 URL: https://issues.apache.org/jira/browse/FLINK-28714
>             Project: Flink
>          Issue Type: Bug
>          Components: API / Python
>    Affects Versions: 1.13.6
>            Reporter: Bilna
>            Priority: Major
>
> The following CVEs comes from the transient dependency, BouncyCastle:1.54 through Apache Beam dependency in flink-python.
> CVE-2018-1000180, 
> CVE-2016-1000352,
> CVE-2016-1000344, 
> CVE-2016-1000340, 
> CVE-2016-1000342, 
> CVE-2016-1000343, 
> CVE-2016-1000338
> The issue comes from beam-vendor-grpc-1_26_0-0.3. 
>  
> The latest Flink uses apache beam 2.38.0 and its BouncyCastle version is 1.67. BouncyCastle should be of version 1.7 or greater
> grpc-Java:1.48.0 has removed BouncyCastle dependency.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)