[BEAM-11227] Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Triage Needed
Priority: P1
Resolution: Fixed
Affects Version/s: 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0
Fix Version/s: 2.30.0
Component/s: build-system
Labels:
- apache-beam
- beam

Flags:

Important
External issue URL:
https://nvd.nist.gov/vuln/detail/CVE-2020-27216

Description

Description: Apache Beam :: Vendored Dependencies :: GRPC :: 1.26.0 » 0.3 uses the dependency Eclipse Jetty (9.2.10.v20150310), which is prone to a privilege escalation vulnerability. This issue (CVE-2020-27216) was published on 23/10/2020.

Affected Versions:
Eclipse Jetty versions 9.4.32.v20200930 and prior, 10.0.0.beta2 and prior and 11.0.0.beta2 and prior.

Recommendation/ Update Suggestion:
Update the Eclipse Jetty dependency to version 9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3 or later.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image (28).png
26/May/21 10:46
28 kB
Abel Matos
image (28).png
26/May/21 10:46
28 kB
Abel Matos

Issue Links

fixes

BEAM-12316 LGPL in bundled dependencies

Resolved

links to

GitHub Pull Request #14025

GitHub Pull Request #14028

GitHub Pull Request #14242

GitHub Pull Request #14257

GitHub Pull Request #14295

GitHub Pull Request #14307

GitHub Pull Request #14329

GitHub Pull Request #14334

GitHub Pull Request #14340

GitHub Pull Request #14348

GitHub Pull Request #14411

GitHub Pull Request #14466

GitHub Pull Request #14474

GitHub Pull Request #14768

GitHub Pull Request #14792

GitHub Pull Request #14833

GitHub Pull Request #14847

(13 links to)

Activity

People

Assignee:: Tomo Suzuki

Reporter:: Boury Mbodj

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 10/Nov/20 23:37

Updated:: 13/Apr/23 11:05

Resolved:: 25/May/21 19:36

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

163h