zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raúl Gutiérrez Segalés <...@itevenworks.net>
Subject Re: Zookeeper 3.4.8 is bundled with old version of Netty:jar
Date Wed, 08 Jun 2016 15:31:32 GMT
On 7 June 2016 at 18:48, Patrick Hunt <phunt@apache.org> wrote:

> There is a jira for this already. Someone want to drive this one?
>
> https://issues.apache.org/jira/browse/ZOOKEEPER-2399


So are we good in the 3.4 branch after:

https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8

or would we still need to backup netty 4.x support to that branch
(eventually)?


-rgs



>
>
> Patrick
>
> On Mon, Jun 6, 2016 at 1:51 PM, Michael Han <hanm@cloudera.com> wrote:
>
> > FYI branch 3.4 was recently patched with Netty 3.10 to address some of
> the
> > security concerns as described in ZOOKEEPER-2423: Upgrade Netty version
> due
> > to security vulnerability.
> >
> >
> >
> https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8
> >
> >
> >
> >
> > On Mon, Jun 6, 2016 at 1:38 PM, Hegde, Pallavi <pallavi_hegde@bmc.com>
> > wrote:
> >
> > > Hello,
> > > We are currently facing some security issues with Zookeeper version
> 3.4.7
> > > & 3.4.8, since its bundled with very old version of Netty:jar, version
> > > 3.7.0.
> > > Could you address this issue in future Zookeeper releases by packaging
> it
> > > with Netty.jar-4.0.27, or higher version of Netty:jar? I am sure this
> > will
> > > help many other issues including security violations.
> > >
> > > Thanks
> > > Pallavi
> > >
> > >
> >
> >
> > --
> > Cheers
> > Michael.
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message