zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Han <h...@cloudera.com>
Subject Re: Zookeeper 3.4.8 is bundled with old version of Netty:jar
Date Wed, 15 Jun 2016 05:10:05 GMT
I also think we might eventually want upgrade to Netty 4.x (unless there is
a reason not to) to get benefits of bug fixes / features not available in
3.x, but there is no immediate needs to upgrade to Netty 4.x for security
reasons as all known security issues should be addressed by Netty 3.10.5.
Upgrade to 4.x is not as trivial as upgrade to 3.10.5 as more code changes
and testing would be involved as described in ZOOKEEPER-2399.

On Tue, Jun 14, 2016 at 9:16 PM, Patrick Hunt <phunt@apache.org> wrote:

> Pallavi do you have any insight into this? Michael? Are we ok with 3.x
> netty or is there some security related fix we are missing that would
> require 3.4 to upgrade to 4.x?
>
> Patrick
>
> On Wed, Jun 8, 2016 at 8:31 AM, Raúl Gutiérrez Segalés <
> rgs@itevenworks.net>
> wrote:
>
> > On 7 June 2016 at 18:48, Patrick Hunt <phunt@apache.org> wrote:
> >
> > > There is a jira for this already. Someone want to drive this one?
> > >
> > > https://issues.apache.org/jira/browse/ZOOKEEPER-2399
> >
> >
> > So are we good in the 3.4 branch after:
> >
> >
> >
> https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8
> >
> > or would we still need to backup netty 4.x support to that branch
> > (eventually)?
> >
> >
> > -rgs
> >
> >
> >
> > >
> > >
> > > Patrick
> > >
> > > On Mon, Jun 6, 2016 at 1:51 PM, Michael Han <hanm@cloudera.com> wrote:
> > >
> > > > FYI branch 3.4 was recently patched with Netty 3.10 to address some
> of
> > > the
> > > > security concerns as described in ZOOKEEPER-2423: Upgrade Netty
> version
> > > due
> > > > to security vulnerability.
> > > >
> > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, Jun 6, 2016 at 1:38 PM, Hegde, Pallavi <
> pallavi_hegde@bmc.com>
> > > > wrote:
> > > >
> > > > > Hello,
> > > > > We are currently facing some security issues with Zookeeper version
> > > 3.4.7
> > > > > & 3.4.8, since its bundled with very old version of Netty:jar,
> > version
> > > > > 3.7.0.
> > > > > Could you address this issue in future Zookeeper releases by
> > packaging
> > > it
> > > > > with Netty.jar-4.0.27, or higher version of Netty:jar? I am sure
> this
> > > > will
> > > > > help many other issues including security violations.
> > > > >
> > > > > Thanks
> > > > > Pallavi
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Cheers
> > > > Michael.
> > > >
> > >
> >
>



-- 
Cheers
Michael.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message