Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[hotfix] [build] Exclude commons-beanutils from Hadoop dependency to remediate CVE-2025-48734#27248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Draft
guptas6est wants to merge3 commits intoapache:master
base:master
Choose a base branch
Loading
fromNordix:fix/commons-beanutils_exclude

Conversation

@guptas6est
Copy link

What is the purpose of the change

This change removes the transitive dependency on commons-beanutils pulled in through the Hadoop hadoop-common dependency used in flink-s3-fs-base.
The version included transitively (1.9.4) contains a known high-severity vulnerability (CVE-2025-48734). The safest and cleanest solution is to explicitly exclude it.

Brief change log

  • Added an <exclusion> for
    commons-beanutils:commons-beanutils
    in flink-filesystems/flink-s3-fs-base/pom.xml to prevent the vulnerable version (1.9.4) from being included.

Verifying this change

Please make sure both new and modified tests in this PR followthe conventions for tests defined in our code quality guide.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as(please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (100MB)
  • Extended integration test for recovery after master (JobManager) failure
  • Added test that validates that TaskInfo is transferred only once across recoveries
  • Manually verified the change by running a 4 node cluster with 2 JobManagers and 4 TaskManagers, a stateful streaming program, and killing one JobManager and two TaskManagers during the execution, verifying that recovery happens correctly.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency):Yes
  • The public API, i.e., is any changed class annotated with@Public(Evolving): (yes / no)
  • The serializers: (yes / no / don't know)
  • The runtime per-record code paths (performance sensitive): (yes / no / don't know)
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: (yes / no / don't know)
  • The S3 file system connector: (yes / no / don't know)

Documentation

  • Does this pull request introduce a new feature?No
  • If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)

@flinkbot
Copy link
Collaborator

flinkbot commentedNov 18, 2025
edited
Loading

CI report:

Bot commands The@flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@rionmonster
Copy link
Contributor

Is this something that can just be safely excluded? I see multiple references throughout the codebase that reference thecommons-beanutils package. Would upgrading it to a more recent patched version of the library, such as1.11.0 be preferred to this exclusion?

The only case that I see that not being valid would be explicitly forflink-yarn which seems to require an earlier version:

<!-- Beanutils 1.9.+ doesn't work with Hadoop 2 --><version>1.8.3</version>

Just a thought.

davidradl reacted with thumbs up emoji

@guptas6estguptas6est marked this pull request as draftNovember 20, 2025 13:30
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@guptas6est@flinkbot@rionmonster
[8]ページ先頭
©2009-2025 Movatter.jp