You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Tomo Suzuki (Jira)" <ji...@apache.org> on 2021/02/23 17:10:00 UTC
[jira] [Comment Edited] (BEAM-11227) Upgrade
beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
[ https://issues.apache.org/jira/browse/BEAM-11227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17289193#comment-17289193 ]
Tomo Suzuki edited comment on BEAM-11227 at 2/23/21, 5:09 PM:
--------------------------------------------------------------
> companies are really picky about using libraries/tools reported by vulnerability reports
That makes sense. We want the automatic detector to unmark the vendored gRPC artifact.
Even if we upgrade to the latest version of gRPC, the line "org.eclipse.jetty.alpn:alpn-api:$alpn_api_version" remains with version "1.1.2.v20150522" ([my current attempt|https://github.com/apache/beam/pull/14028/files#diff-20e6ab6fadc3019303d5534ed1b041f154a31e9e7a8e5829d6b8fc0a7218f6dfR76]) (It's less than "9.4.32" mentioned in https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921#c2. The latest is ["1.1.3.v20160715"|https://search.maven.org/artifact/org.eclipse.jetty.alpn/alpn-api/1.1.3.v20160715/jar]).
I'll wait for [~bmbodj]'s response before committing something.
was (Author: suztomo):
> companies are really picky about using libraries/tools reported by vulnerability reports
That makes sense. We want the automatic detector to unmark the vendored gRPC artifact.
Even if we upgrade to the latest version of gRPC, the line "org.eclipse.jetty.alpn:alpn-api:$alpn_api_version" remains with version "1.1.2.v20150522" ([my current attempt|https://github.com/apache/beam/pull/14028/files#diff-20e6ab6fadc3019303d5534ed1b041f154a31e9e7a8e5829d6b8fc0a7218f6dfR76]) (It's less than "9.4.32" mentioned in https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921#c2).
I'll wait for [~bmbodj]'s response before committing something.
> Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
> ---------------------------------------------------------
>
> Key: BEAM-11227
> URL: https://issues.apache.org/jira/browse/BEAM-11227
> Project: Beam
> Issue Type: Bug
> Components: build-system
> Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
> Reporter: Boury Mbodj
> Priority: P1
> Labels: apache-beam, beam
> Fix For: 2.29.0
>
> Time Spent: 3h 20m
> Remaining Estimate: 0h
>
> *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0] » [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3] uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a privilege escalation vulnerability. This issue (CVE-2020-27216) was published on 23/10/2020.
> *+Affected Versions:+*
> Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior and 11.0.0.beta2 and prior.
> *+Recommendation/+* *+Update Suggestion:+*
> Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3 or later.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)