helix-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kanak Biscuitwala (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HELIX-257) Upgrade Restlet to 2.1.4 - due security flaw
Date Sat, 19 Oct 2013 01:15:42 GMT

    [ https://issues.apache.org/jira/browse/HELIX-257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13799720#comment-13799720
] 

Kanak Biscuitwala commented on HELIX-257:
-----------------------------------------

Can't apply this patch because of all the log messages output by the restlet library. See
TestAlertFireHistory for an example. Restlet seems to use java.util.logging while Helix uses
log4j, and these are not very compatible.

There are a few possibilities, though others can certainly chime in if there are any that
I missed:

1) Insert the following into ZkPropertyTransferServer (or another class; I'm not super familiar
with this code):
  static {
    org.restlet.engine.Engine.setLogLevel(Level.SEVERE);
  }

2) Use an sjf4j bridge to redirect these logging messages, at which point they can be disabled
in the normal way

> Upgrade Restlet to 2.1.4 - due security flaw
> --------------------------------------------
>
>                 Key: HELIX-257
>                 URL: https://issues.apache.org/jira/browse/HELIX-257
>             Project: Apache Helix
>          Issue Type: Bug
>          Components: helix-core
>    Affects Versions: 0.6.0-incubating, 0.6.1-incubating, 0.6.2-incubating
>            Reporter: Alexadre Porcelli
>            Priority: Critical
>         Attachments: 0001-HELIX-257-Upgraded-restlet-from-1.1.10-to-2.1.4.patch
>
>
> The current version of Restlet used by Helix has at least 2 know security flaws CVE-2013-4221
and CVE-2013-4271.
> Those issues are addressed in Restlet 2.1.4



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message