Hi Daniel,

sorry for the late reply and thanks for the report. We'll look into this
and get back to you.

Cheers,

Konstantin

On Tue, Jun 15, 2021 at 4:33 AM Daniel Moore
<daniel.mo...@sugarcrm.com.invalid> wrote:

> Hello All,
>
> We have been implementing a solution using the Flink image from
> https://github.com/apache/flink-docker/blob/master/1.13/scala_2.12-java11-debian/Dockerfile
> and it got flagged by our image repository for 3 major security
> vulnerabilities:
>
> CVE-2017-8804
> CVE-2019-25013
> CVE-2021-33574
>
> All of these stem from the `glibc` packages in the `openjdk:11-jre` image.
>
> We have a working image based on building Flink using the Amazon Corretto
> image -
> https://github.com/corretto/corretto-docker/blob/88df29474df6fc3f3f19daa8c5515d934f706cd0/11/jdk/al2/Dockerfile.
> This works although there are  some issues related to linking
> `libjemalloc`.  Before we fully test this new image we wanted to reach out
> to the community for insight on the following questions:
>
> 1. Are these vulnerabilities captured in an issue yet?
> 2. If so, when could we except a new official image that contains the
> Debian fixes for these issues?
> 3. If not, how can we help contribute to a solution?
> 4. Are there officially supported non-Debian based Flink images?
>
> We appreciate the insights and look forward to working with the community
> on a solution.
>
>

-- 

Konstantin Knauf

https://twitter.com/snntrable

https://github.com/knaufk

Reply via email to