You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Fabian Hueske (JIRA)" <ji...@apache.org> on 2018/07/31 13:29:00 UTC
[jira] [Commented] (FLINK-10007) Security vulnerability in website
build infrastructure
[ https://issues.apache.org/jira/browse/FLINK-10007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16563663#comment-16563663 ]
Fabian Hueske commented on FLINK-10007:
---------------------------------------
This is the same issue as FLINK-8308 which was solved for the Flink documentation.
I assume we can simply port most of the changes of [PR 5395|https://github.com/apache/flink/pull/5395] to the {{flink-web}} repository.
> Security vulnerability in website build infrastructure
> ------------------------------------------------------
>
> Key: FLINK-10007
> URL: https://issues.apache.org/jira/browse/FLINK-10007
> Project: Flink
> Issue Type: Bug
> Components: Project Website
> Reporter: Fabian Hueske
> Priority: Critical
>
> We've got a notification from Apache INFRA about a potential security vulnerability:
> {quote}
> We found a potential security vulnerability in a repository for which you have been granted security alert access.
> @apache apache/flink-web
> Known high severity security vulnerability detected in yajl-ruby < 1.3.1 defined in Gemfile.
> Gemfile update suggested: yajl-ruby ~> 1.3.1.
> {quote}
> This is a problem with the build environment of the website, i.e., this dependency is not distributed or executed with Flink but only run when the website is updated.
> Nonetheless, we should of course update the dependency.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)