You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Tomo Suzuki (Jira)" <ji...@apache.org> on 2021/03/02 16:28:00 UTC
[jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3
to fix CVE-2020-27216
[ https://issues.apache.org/jira/browse/BEAM-11227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293819#comment-17293819 ]
Tomo Suzuki commented on BEAM-11227:
------------------------------------
Looking at Boury Mbodj's [activity|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=bmbodj&selectedTab=com.atlassian.streams.streams-jira-plugin:user-profile-stream-panel], it seems that this is one-off ticket (not by automation).
[~kenn] Sure. Let me continue https://github.com/apache/beam/pull/14028 to see what would break.
> Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216
> ---------------------------------------------------------
>
> Key: BEAM-11227
> URL: https://issues.apache.org/jira/browse/BEAM-11227
> Project: Beam
> Issue Type: Bug
> Components: build-system
> Affects Versions: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
> Reporter: Boury Mbodj
> Priority: P1
> Labels: apache-beam, beam
> Fix For: 2.29.0
>
> Time Spent: 3h 40m
> Remaining Estimate: 0h
>
> *+Description+**:* [Apache Beam :: Vendored Dependencies :: GRPC :: 1.26.0|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0] » [0.3|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_26_0/0.3] uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a privilege escalation vulnerability. This issue (CVE-2020-27216) was published on 23/10/2020.
> *+Affected Versions:+*
> Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior and 11.0.0.beta2 and prior.
> *+Recommendation/+* *+Update Suggestion:+*
> Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3 or later.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)