flume-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ferenc Szabo (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLUME-3115) Upgrade netty library dependency
Date Fri, 18 Aug 2017 18:29:00 GMT

    [ https://issues.apache.org/jira/browse/FLUME-3115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16133418#comment-16133418

Ferenc Szabo commented on FLUME-3115:

netty 3.x.x needed for avro-ipc so we need to have that version untill it is upgraded. Unfortunately
it is part of the public api, so the next opportunity to upgrade that is the next mayor release.
However the latest 3.x.x version does not have the security vulnerability so the upgrade there
is an option.

netty-all 4.x.x is in the hbase-client the latest version of that is also looks ok in the
aspect of security vulnerabilities.

There are some components that use netty 3.x.x and could be updated to netty-all 4.x.x. I
will create JIRA issues to extract them to a single submodule and refactor them to use netty
4. Until that they can work with the latest 3.x.x

> Upgrade netty library dependency
> --------------------------------
>                 Key: FLUME-3115
>                 URL: https://issues.apache.org/jira/browse/FLUME-3115
>             Project: Flume
>          Issue Type: Bug
>    Affects Versions: 1.7.0
>            Reporter: Attila Simon
>            Assignee: Ferenc Szabo
>            Priority: Critical
>              Labels: dependency
>             Fix For: 1.8.0
> ||Group||Artifact||Version used||Upgrade target||
> |io.netty|netty|3.2.2.Final, 3.9.4.Final|4.1.12.Final|
> Note: This artifact was moved to:
> - New Group	io.netty
> - New Artifact	netty-all
> Security vulnerability: http://www.cvedetails.com/cve/CVE-2014-3488/
> Please do:
> - double check the newest version. 
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in which case
please add this label `breaking_change` and fix version should be the next major)

This message was sent by Atlassian JIRA

View raw message