You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/03/02 16:29:00 UTC

[jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

     [ https://issues.apache.org/jira/browse/BEAM-11227?focusedWorklogId=560022&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-560022 ]

ASF GitHub Bot logged work on BEAM-11227:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/Mar/21 16:28
            Start Date: 02/Mar/21 16:28
    Worklog Time Spent: 10m 
      Work Description: suztomo commented on pull request #14028:
URL: https://github.com/apache/beam/pull/14028#issuecomment-789034703


   I'll try to apply the change to use the new vendored gRPC version.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 560022)
    Time Spent: 3h 50m  (was: 3h 40m)

> Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
> ---------------------------------------------------------
>
>                 Key: BEAM-11227
>                 URL: https://issues.apache.org/jira/browse/BEAM-11227
>             Project: Beam
>          Issue Type: Bug
>          Components: build-system
>    Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
>            Reporter: Boury Mbodj
>            Priority: P1
>              Labels: apache-beam, beam
>             Fix For: 2.29.0
>
>          Time Spent: 3h 50m
>  Remaining Estimate: 0h
>
> *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0] » [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3] uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a  privilege escalation vulnerability. This issue (CVE-2020-27216) was published on 23/10/2020.
> *+Affected Versions:+*
>  Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior and 11.0.0.beta2 and prior.
>  *+Recommendation/+* *+Update Suggestion:+*
> Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3 or later.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)