Hi Martin,

Thanks for bringing this up! Lately I was thinking about to bump the hadoop
version to at least 2.6.1 to clean up issues like this:
https://github.com/apache/flink/blob/8d05393f5bcc0a917b2dab3fe81a58acaccabf13/flink-filesystems/flink-hadoop-fs/src/main/java/org/apache/flink/runtime/util/HadoopUtils.java#L157-L159

All in all +1 from my perspective.

Just a question here. Are we stating the minimum Hadoop version for users
somewhere in the doc or they need to find it out from source code like this?
https://github.com/apache/flink/blob/3a4c11371e6f2aacd641d86c1d5b4fd86435f802/tools/azure-pipelines/build-apache-repo.yml#L113

BR,
G


On Wed, Oct 5, 2022 at 5:02 AM Martijn Visser <martijnvis...@apache.org>
wrote:

> Hi everyone,
>
> Little over a year ago a discussion thread was opened on changing the
> minimal supported version of Hadoop and bringing that to 2.8.5. [1] In this
> discussion thread, I would like to propose to bring that minimal supported
> version of Hadoop to 2.10.2.
>
> Hadoop 2.8.5 is vulnerable for multiple CVEs which are classified as
> Critical. [2] [3]. While Flink is not directly impacted by those, we do see
> vulnerability scanners flag Flink as being vulnerable. We could easily
> mitigate that by bumping the minimal supported version of Hadoop to 2.10.2.
>
> I'm looking forward to your opinions on this topic.
>
> Best regards,
>
> Martijn
> https://twitter.com/MartijnVisser82
> https://github.com/MartijnVisser
>
> [1] https://lists.apache.org/thread/81fhnwfxomjhyy59f9bbofk9rxpdxjo5
> [2] https://nvd.nist.gov/vuln/detail/CVE-2022-25168
> [3] https://nvd.nist.gov/vuln/detail/CVE-2022-26612
>

Reply via email to