You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Márton Balassi (Jira)" <ji...@apache.org> on 2022/07/22 09:42:00 UTC

[jira] [Comment Edited] (FLINK-28637) High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar

    [ https://issues.apache.org/jira/browse/FLINK-28637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569903#comment-17569903 ] 

Márton Balassi edited comment on FLINK-28637 at 7/22/22 9:41 AM:
-----------------------------------------------------------------

Thanks, [~jbusche].

fyi [~wangyang0918], [~gyfora]:

[https://github.com/fabric8io/kubernetes-client/issues/4290#issuecomment-1192194532]

I think we are fine for the 1.1 operator release as is, but it might make sense to explore swapping the dependency version later. What do you think?


was (Author: mbalassi):
Thanks, [~jbusche].

fyi:

https://github.com/fabric8io/kubernetes-client/issues/4290#issuecomment-1192194532

> High vulnerability in flink-kubernetes-operator-1.1.0-shaded.jar
> ----------------------------------------------------------------
>
>                 Key: FLINK-28637
>                 URL: https://issues.apache.org/jira/browse/FLINK-28637
>             Project: Flink
>          Issue Type: Bug
>          Components: Kubernetes Operator
>    Affects Versions: kubernetes-operator-1.1.0
>            Reporter: James Busche
>            Priority: Major
>
> I noticed a high vulnerability in the flink-kubernetes-operator-1.1.0-shaded.jar file.
> =======
> cvss: 7.5
> riskFactors: Has fix,High severity
> cve: PRISMA-2022-0239    
> link: https://github.com/square/okhttp/issues/6738
> status: fixed in 4.9.2
> packagePath: /flink-kubernetes-operator/flink-kubernetes-operator-1.1.0-shaded.jar
> description: com.squareup.okhttp3_okhttp packages prior to version 4.9.2 are vulnerable for sensitive information disclosure. An illegal character in a header value will cause IllegalArgumentException which will include full header value. This applies to Authorization, Cookie, Proxy-Authorization and Set-Cookie headers. 
> =======
> It looks like we're using version 3.12.12, and there's no plans to provide this fix for the 3.x version.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)