Closed Jimvin closed 1 year ago
Would it be possible to also address or mitigate any of the critical CVEs with this update, We have noticed that grype is reporting multiple critical CVEs with the docker.stackable.tech/stackable/nifi:1.18.0-stackable23.1.0 (shown below)
grype docker.stackable.tech/stackable/nifi@sha256:2a060257fafe9778617faaa36730edc1e240df4459e2e3a6f9f4b04aebc79bd6 | grep Critical
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [427 packages]
✔ Scanned image [411 vulnerabilities]
commons-text 1.8 1.10.0 java-archive GHSA-599f-7c49-w659 Critical
commons-text 1.8 java-archive CVE-2022-42889 Critical
jetty-schemas 5.2 java-archive CVE-2017-7658 Critical
jetty-schemas 5.2 java-archive CVE-2017-7657 Critical
log4j-over-slf4j 1.7.36 java-archive CVE-2020-9493 Critical
spring-core 5.3.23 java-archive CVE-2016-1000027 Critical
Or are these CVEs more in the realms of Nifi itself.
We will look into this for the next release.
Needs input from @lfrancke if both versions should be released or just 1.21.0
I think we only want the latest. In other words: Please remove 1.20.
Which new version of Apache NiFi should we support?
1.21.0
Additional information
NOTE These are still the 1.19.1 release notes, see https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.21.0 for the 1.21 release notes
Highlights of the 1.19.1 release include:
Highlights of the 1.19.0 release include:
A full list of issues that were resolved can be found at: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12352345
Changes required
Not aware of any breaking changes in this release.
Implementation checklist
Please don't change anything in this list. Not all of these steps are necessary for all versions.