You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flink.apache.org by "Bilna (Jira)" <ji...@apache.org> on 2022/07/27 10:20:00 UTC
[jira] [Created] (FLINK-28714) Resolve CVEs from beam-vendor-grpc-1_26_0-0.3
Bilna created FLINK-28714:
-----------------------------
Summary: Resolve CVEs from beam-vendor-grpc-1_26_0-0.3
Key: FLINK-28714
URL: https://issues.apache.org/jira/browse/FLINK-28714
Project: Flink
Issue Type: Bug
Components: API / Python
Affects Versions: 1.13.6
Reporter: Bilna
The following CVEs comes from the transient dependency, BouncyCastle:1.54 through Apache Beam dependency in flink-python.
CVE-2018-1000180,
CVE-2016-1000352,
CVE-2016-1000344,
CVE-2016-1000340,
CVE-2016-1000342,
CVE-2016-1000343,
CVE-2016-1000338
The issue comes from beam-vendor-grpc-1_26_0-0.3.
The latest Flink uses apache beam 2.38.0 and its BouncyCastle version is 1.67. BouncyCastle should be of version 1.7 or greater
grpc-Java:1.48.0 has removed BouncyCastle dependency.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)