You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "Boury Mbodj (Jira)" <ji...@apache.org> on 2020/11/10 23:38:00 UTC

[jira] [Created] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix 2020-27216

Boury Mbodj created BEAM-11227:
----------------------------------

             Summary: Upgrade beam-vendor-grpc-1_26_0-0.3 to fix 2020-27216
                 Key: BEAM-11227
                 URL: https://issues.apache.org/jira/browse/BEAM-11227
             Project: Beam
          Issue Type: Bug
          Components: beam-community, beam-model
    Affects Versions: 2.25.0, 2.24.0, 2.23.0, 2.22.0, 2.21.0
            Reporter: Boury Mbodj
            Assignee: Aizhamal Nurmamat kyzy


*+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0] » [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3] uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a  privilege escalation vulnerability. This issue (CVE-2020-27216) was published on 23/10/2020.

*+Affected Versions:+*
 Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior and 11.0.0.beta2 and prior.

 *+Recommendation/ Update Suggestion:
+* Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3 or later.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)