zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2952) Upgrade third party libraries to address vulnerabilities
Date Wed, 13 Dec 2017 14:07:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16289298#comment-16289298
] 

ASF GitHub Bot commented on ZOOKEEPER-2952:
-------------------------------------------

GitHub user anmolnar opened a pull request:

    https://github.com/apache/zookeeper/pull/435

    ZOOKEEPER-2952. Upgrade third party libs: netty, slf4j, log4j

    This is the branch-3.4 version of 
    
    https://github.com/apache/zookeeper/pull/429
    
    netty, log4j, slf4j

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/anmolnar/zookeeper ZOOKEEPER-2952-branch34

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/435.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #435
    
----
commit 7aa2bcd7d8c6932e3517e45985c6ba3d5db2ab82
Author: Andor Molnar <andor@cloudera.com>
Date:   2017-12-13T14:04:44Z

    ZOOKEEPER-2952. Upgraded third party libraries + updated related license files

----


> Upgrade third party libraries to address vulnerabilities
> --------------------------------------------------------
>
>                 Key: ZOOKEEPER-2952
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2952
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.5.3, 3.4.11, 3.6.0
>            Reporter: Andor Molnar
>            Assignee: Andor Molnar
>            Priority: Critical
>              Labels: dependencies, upgrade, vulnerabilities
>             Fix For: 3.5.4, 3.6.0, 3.4.12
>
>
> Hi,
> I'm going to upgrade the following third party libraries in order to address vulnerabilities
found in them:
> - io.netty:netty 3.10.5.Final -> 3.10.6.Final (CVE-2015-2156 (H), CVE-2014-3488 (H),
protobuf: CVE-2015-5237 (H), npn-api: CVE-2017-9735 (H), CVE-1999-1198 (H), CVE-1999-1193
(H))
> - org.slf4j:slf4j-api 1.7.5 -> 1.7.25
> - log4j:log4j 1.2.16 -> 1.2.17
> Please review the list and let me know if you have any concerns or would like to add
more deps to upgrade.
> Thanks,
> Andor



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message