[
https://issues.apache.org/jira/browse/FLINK-24736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17678399#comment-17678399
]
Leonid Ilyevsky commented on FLINK-24736:
-----------------------------------------
The same problem in the latest version 1.16.0.
I build my projects under the corporate Nexus, and
flink-rpc-akka-loader-1.16.0.jar got quarantined with the following:
ROOT CAUSE
flink-rpc-akka-loader-1.16.0.jarflink-rpc-akka.jarorg/jboss/netty/handler/codec/http/HttpMessageDecoder.class(
, 4.0.0.Alpha1)
Nexus also mentioned CVE-2019-20444 and CVE-2019-20445.
As a result, I cannot do my build at all.
> Non vulenerable jar files for Apache Flink 1.14.4
> -------------------------------------------------
>
> Key: FLINK-24736
> URL: https://issues.apache.org/jira/browse/FLINK-24736
> Project: Flink
> Issue Type: Bug
> Reporter: Parag Somani
> Priority: Major
>
> Hello,
> We are using Apache flink 1.14.4 as one of base image in our production. Due
> to recent upgrade, we have many container security defects.
> I am using "flink-1.14.4-bin-scala_2.12"in our k8s env.
> Please assist with Flink version having non-vulnerable libraries. List of
> vulnerable libs are as follows:
> [7.5] [CVE-2019-16869] [flink-rpc-akka-loader] [1.14.4]
> [9.1] [CVE-2019-20444] [flink-rpc-akka-loader] [1.14.4]
> [9.1] [CVE-2019-20445] [flink-rpc-akka-loader] [1.14.4]
> [7.5] [sonatype-2019-0115] [flink-rpc-akka-loader] [1.14.4]
> [7.5] [sonatype-2020-0029] [flink-rpc-akka-loader] [1.14.4]
> [7.5] [CVE-2019-16869] [flink-rpc-akka] [1.14.4]
> [9.1] [CVE-2019-20444] [flink-rpc-akka] [1.14.4]
> [9.1] [CVE-2019-20445] [flink-rpc-akka] [1.14.4]
> [7.5] [sonatype-2019-0115] [flink-rpc-akka] [1.14.4]
> [7.5] [sonatype-2020-0029] [flink-rpc-akka] [1.14.4]
> Can you assist with this ?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
