You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Bilna (Jira)" <ji...@apache.org> on 2022/07/27 10:20:00 UTC

[jira] [Created] (FLINK-28714) Resolve CVEs from beam-vendor-grpc-1_26_0-0.3

Bilna created FLINK-28714:
-----------------------------

             Summary: Resolve CVEs from beam-vendor-grpc-1_26_0-0.3
                 Key: FLINK-28714
                 URL: https://issues.apache.org/jira/browse/FLINK-28714
             Project: Flink
          Issue Type: Bug
          Components: API / Python
    Affects Versions: 1.13.6
            Reporter: Bilna


The following CVEs comes from the transient dependency, BouncyCastle:1.54 through Apache Beam dependency in flink-python.
CVE-2018-1000180, 
CVE-2016-1000352,
CVE-2016-1000344, 
CVE-2016-1000340, 
CVE-2016-1000342, 
CVE-2016-1000343, 
CVE-2016-1000338

The issue comes from beam-vendor-grpc-1_26_0-0.3. 
 
The latest Flink uses apache beam 2.38.0 and its BouncyCastle version is 1.67. BouncyCastle should be of version 1.7 or greater

grpc-Java:1.48.0 has removed BouncyCastle dependency.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)