flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Oberender (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FLINK-8170) Security Problems with Netty version 4.0.27.Final
Date Wed, 29 Nov 2017 12:38:00 GMT
Jens Oberender created FLINK-8170:
-------------------------------------

             Summary: Security Problems with Netty version 4.0.27.Final
                 Key: FLINK-8170
                 URL: https://issues.apache.org/jira/browse/FLINK-8170
             Project: Flink
          Issue Type: Bug
          Components: Core
            Reporter: Jens Oberender


I did an OWASP dependency check on my flink project and it reports two problems for netty
version 4.0.27.Final:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970

According to #FLINK-3151  there was a memory problem with newer versions.
I couldn't find a reference to that problem in the netty issues. Perhaps it's already fixed
with newer versions (netty 4.0.27 was release in Apr, 2015).
Unfortunatelly I'm not that familiar with flink yet, to build a setup to reproduce the memory
problem. Can anyone try it with a newer version of netty (4.0.53.Final is the latest of 4.0)?

I came across an article about finding netty memory leaks with ByteBuf, perhaps that can help:
https://logz.io/blog/netty-bytebuf-memory-leak/



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message