[FLINK-25694] Upgrade Presto to resolve GSON/Alluxio Vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Technical Debt
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.14.2
Fix Version/s: 1.14.5, 1.15.1, 1.16.0
Component/s: Connectors / FileSystem, FileSystems
Labels:
- pull-request-available

Description

GSON has a bug, which was fixed in 2.8.9, see https://github.com/google/gson/pull/1991. This results in the possibility for DOS attacks.

GSON is included in the `flink-s3-fs-presto` plugin, because Alluxio includes it in their shaded client. I've opened an issue in Alluxio: https://github.com/Alluxio/alluxio/issues/14868. When that is fixed, the plugin also needs to be updated.

Attachments

Issue Links

links to

GitHub Pull Request #19428

GitHub Pull Request #19478

GitHub Pull Request #19479

Activity

People

Assignee:: David Perkins

Reporter:: David Perkins

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/Jan/22 18:49

Updated:: 20/Apr/22 08:41

Resolved:: 14/Apr/22 18:44