Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-34575

Vulnerabilities in commons-compress 1.24.0; upgrade to 1.26.0 needed.

    XMLWordPrintableJSON

Details

    • Technical Debt
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.18.1
    • hbase-4.0.0
    • None
    • None

    Description

      Since Feb. 19, medium/high CVEs have been found for commons-compress 1.24.0:
      https://nvd.nist.gov/vuln/detail/CVE-2024-25710
      https://nvd.nist.gov/vuln/detail/CVE-2024-26308

      https://github.com/apache/flink/pull/24352 has been opened automatically on Feb. 21 by dependabot for bumping commons-compress to v1.26.0 which fixes the CVEs, but two CI checks are red on the PR.

      Flink's dependency on commons-compress has been upgraded to v1.24.0 in Oct 2023 (https://issues.apache.org/jira/browse/FLINK-33329).
      v1.24.0 is the version currently in the master branch:https://github.com/apache/flink/blob/master/pom.xml#L727-L729.

      Attachments

        Activity

          People

            Unassigned Unassigned
            adrianalexvasiliu Adrian Vasiliu
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: