[jira] [Created] (FLINK-28714) Resolve CVEs from beam-vendor-grpc-1_26_0-0.3

Bilna (Jira) Wed, 27 Jul 2022 03:20:14 -0700

Bilna created FLINK-28714:
-----------------------------

             Summary: Resolve CVEs from beam-vendor-grpc-1_26_0-0.3
                 Key: FLINK-28714
                 URL: https://issues.apache.org/jira/browse/FLINK-28714
             Project: Flink
          Issue Type: Bug
          Components: API / Python
    Affects Versions: 1.13.6
            Reporter: Bilna



The following CVEs comes from the transient dependency, BouncyCastle:1.54 
through Apache Beam dependency in flink-python.
CVE-2018-1000180, 
CVE-2016-1000352,
CVE-2016-1000344, 
CVE-2016-1000340, 
CVE-2016-1000342, 
CVE-2016-1000343, 
CVE-2016-1000338

The issue comes from beam-vendor-grpc-1_26_0-0.3. 
 
The latest Flink uses apache beam 2.38.0 and its BouncyCastle version is 1.67. 
BouncyCastle should be of version 1.7 or greater

grpc-Java:1.48.0 has removed BouncyCastle dependency.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (FLINK-28714) Resolve CVEs from beam-vendor-grpc-1_26_0-0.3

Reply via email to