flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chesnay Schepler (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-8170) Security Problems with Netty version 4.0.27.Final
Date Wed, 29 Nov 2017 13:00:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-8170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16270692#comment-16270692

Chesnay Schepler commented on FLINK-8170:

the dependency conflict will be resolved for Flink 1.4 where we relocate our netty dependency.

AFAIK we wanted to bump the netty version for a while, maybe [~NicoK] knows what the current
state is.

> Security Problems with Netty version 4.0.27.Final
> -------------------------------------------------
>                 Key: FLINK-8170
>                 URL: https://issues.apache.org/jira/browse/FLINK-8170
>             Project: Flink
>          Issue Type: Bug
>          Components: Core
>            Reporter: Jens Oberender
> I did an OWASP dependency check on my flink project and it reports two problems for netty
version 4.0.27.Final:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970
> According to #FLINK-3151  there was a memory problem with newer versions.
> I couldn't find a reference to that problem in the netty issues. Perhaps it's already
fixed with newer versions (netty 4.0.27 was release in Apr, 2015).
> Unfortunatelly I'm not that familiar with flink yet, to build a setup to reproduce the
memory problem. Can anyone try it with a newer version of netty (4.0.53.Final is the latest
of 4.0)?
> I came across an article about finding netty memory leaks with ByteBuf, perhaps that
can help:
> https://logz.io/blog/netty-bytebuf-memory-leak/

This message was sent by Atlassian JIRA

View raw message