Pallavi do you have any insight into this? Michael? Are we ok with 3.x
netty or is there some security related fix we are missing that would
require 3.4 to upgrade to 4.x?

Patrick

On Wed, Jun 8, 2016 at 8:31 AM, Raúl Gutiérrez Segalés <rgs@itevenworks.net>
wrote:

> On 7 June 2016 at 18:48, Patrick Hunt <phunt@apache.org> wrote:
>
> > There is a jira for this already. Someone want to drive this one?
> >
> > https://issues.apache.org/jira/browse/ZOOKEEPER-2399
>
>
> So are we good in the 3.4 branch after:
>
>
> https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8
>
> or would we still need to backup netty 4.x support to that branch
> (eventually)?
>
>
> -rgs
>
>
>
> >
> >
> > Patrick
> >
> > On Mon, Jun 6, 2016 at 1:51 PM, Michael Han <hanm@cloudera.com> wrote:
> >
> > > FYI branch 3.4 was recently patched with Netty 3.10 to address some of
> > the
> > > security concerns as described in ZOOKEEPER-2423: Upgrade Netty version
> > due
> > > to security vulnerability.
> > >
> > >
> > >
> >
> https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8
> > >
> > >
> > >
> > >
> > > On Mon, Jun 6, 2016 at 1:38 PM, Hegde, Pallavi <pallavi_hegde@bmc.com>
> > > wrote:
> > >
> > > > Hello,
> > > > We are currently facing some security issues with Zookeeper version
> > 3.4.7
> > > > & 3.4.8, since its bundled with very old version of Netty:jar,
> version
> > > > 3.7.0.
> > > > Could you address this issue in future Zookeeper releases by
> packaging
> > it
> > > > with Netty.jar-4.0.27, or higher version of Netty:jar? I am sure this
> > > will
> > > > help many other issues including security violations.
> > > >
> > > > Thanks
> > > > Pallavi
> > > >
> > > >
> > >
> > >
> > > --
> > > Cheers
> > > Michael.
> > >
> >
>