Hi Daniel, sorry for the late reply and thanks for the report. We'll look into this and get back to you.
Cheers, Konstantin On Tue, Jun 15, 2021 at 4:33 AM Daniel Moore <daniel.mo...@sugarcrm.com.invalid> wrote: > Hello All, > > We have been implementing a solution using the Flink image from > https://github.com/apache/flink-docker/blob/master/1.13/scala_2.12-java11-debian/Dockerfile > and it got flagged by our image repository for 3 major security > vulnerabilities: > > CVE-2017-8804 > CVE-2019-25013 > CVE-2021-33574 > > All of these stem from the `glibc` packages in the `openjdk:11-jre` image. > > We have a working image based on building Flink using the Amazon Corretto > image - > https://github.com/corretto/corretto-docker/blob/88df29474df6fc3f3f19daa8c5515d934f706cd0/11/jdk/al2/Dockerfile. > This works although there are some issues related to linking > `libjemalloc`. Before we fully test this new image we wanted to reach out > to the community for insight on the following questions: > > 1. Are these vulnerabilities captured in an issue yet? > 2. If so, when could we except a new official image that contains the > Debian fixes for these issues? > 3. If not, how can we help contribute to a solution? > 4. Are there officially supported non-Debian based Flink images? > > We appreciate the insights and look forward to working with the community > on a solution. > > -- Konstantin Knauf https://twitter.com/snntrable https://github.com/knaufk