You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/03/29 13:11:00 UTC
[jira] [Work logged] (BEAM-14118) beam-vendor-grpc-1_43_2 shades vulnerable Netty version
[ https://issues.apache.org/jira/browse/BEAM-14118?focusedWorklogId=749319&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-749319 ]
ASF GitHub Bot logged work on BEAM-14118:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 29/Mar/22 13:10
Start Date: 29/Mar/22 13:10
Worklog Time Spent: 10m
Work Description: jigga opened a new pull request #17206:
URL: https://github.com/apache/beam/pull/17206
Updated netty to 4.1.75.Final to address vulnerabilities discovered in 4.1.63.Final. Also updated netty tcnative to 2.0.51.Final.
Vulnerabilities details can be found in the JIRA story: https://issues.apache.org/jira/browse/BEAM-14118
------------------------
Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:
- [ ] [**Choose reviewer(s)**](https://beam.apache.org/contribute/#make-your-change) and mention them in a comment (`R: @username`).
- [ ] Format the pull request title like `[BEAM-XXX] Fixes bug in ApproximateQuantiles`, where you replace `BEAM-XXX` with the appropriate JIRA issue, if applicable. This will automatically link the pull request to the issue.
- [ ] Update `CHANGES.md` with noteworthy changes.
- [ ] If this contribution is large, please file an Apache [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
See the [Contributor Guide](https://beam.apache.org/contribute) for more tips on [how to make review process smoother](https://beam.apache.org/contribute/#make-reviewers-job-easier).
To check the build health, please visit [https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md](https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md)
GitHub Actions Tests Status (on master branch)
------------------------------------------------------------------------------------------------
[](https://github.com/apache/beam/actions?query=workflow%3A%22Build+python+source+distribution+and+wheels%22+branch%3Amaster+event%3Aschedule)
[](https://github.com/apache/beam/actions?query=workflow%3A%22Python+Tests%22+branch%3Amaster+event%3Aschedule)
[](https://github.com/apache/beam/actions?query=workflow%3A%22Java+Tests%22+branch%3Amaster+event%3Aschedule)
See [CI.md](https://github.com/apache/beam/blob/master/CI.md) for more information about GitHub Actions CI.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 749319)
Remaining Estimate: 0h
Time Spent: 10m
> beam-vendor-grpc-1_43_2 shades vulnerable Netty version
> -------------------------------------------------------
>
> Key: BEAM-14118
> URL: https://issues.apache.org/jira/browse/BEAM-14118
> Project: Beam
> Issue Type: Improvement
> Components: runner-flink, runner-spark, sdk-java-harness
> Affects Versions: 2.37.0
> Reporter: Arkadiusz Gasinski
> Priority: P2
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The [beam-vendor-grpc-1_43_2|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2] dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final]
> In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments.
> Because Netty is shaded, we can't simply override the version in the build tool.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)