Jens Oberender created FLINK-8170:
-------------------------------------
Summary: Security Problems with Netty version 4.0.27.Final
Key: FLINK-8170
URL: https://issues.apache.org/jira/browse/FLINK-8170
Project: Flink
Issue Type: Bug
Components: Core
Reporter: Jens Oberender
I did an OWASP dependency check on my flink project and it reports two problems
for netty version 4.0.27.Final:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970
According to #FLINK-3151 there was a memory problem with newer versions.
I couldn't find a reference to that problem in the netty issues. Perhaps it's
already fixed with newer versions (netty 4.0.27 was release in Apr, 2015).
Unfortunatelly I'm not that familiar with flink yet, to build a setup to
reproduce the memory problem. Can anyone try it with a newer version of netty
(4.0.53.Final is the latest of 4.0)?
I came across an article about finding netty memory leaks with ByteBuf, perhaps
that can help:
https://logz.io/blog/netty-bytebuf-memory-leak/
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
