zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amit Kumar <ak3...@gmail.com>
Subject Re: Zookeeper 3.4.8 is bundled with old version of Netty:jar
Date Wed, 15 Jun 2016 06:26:58 GMT
Unsubscribe

On Wed, Jun 15, 2016 at 10:40 AM, Michael Han <hanm@cloudera.com> wrote:

> I also think we might eventually want upgrade to Netty 4.x (unless there is
> a reason not to) to get benefits of bug fixes / features not available in
> 3.x, but there is no immediate needs to upgrade to Netty 4.x for security
> reasons as all known security issues should be addressed by Netty 3.10.5.
> Upgrade to 4.x is not as trivial as upgrade to 3.10.5 as more code changes
> and testing would be involved as described in ZOOKEEPER-2399.
>
> On Tue, Jun 14, 2016 at 9:16 PM, Patrick Hunt <phunt@apache.org> wrote:
>
> > Pallavi do you have any insight into this? Michael? Are we ok with 3.x
> > netty or is there some security related fix we are missing that would
> > require 3.4 to upgrade to 4.x?
> >
> > Patrick
> >
> > On Wed, Jun 8, 2016 at 8:31 AM, Raúl Gutiérrez Segalés <
> > rgs@itevenworks.net>
> > wrote:
> >
> > > On 7 June 2016 at 18:48, Patrick Hunt <phunt@apache.org> wrote:
> > >
> > > > There is a jira for this already. Someone want to drive this one?
> > > >
> > > > https://issues.apache.org/jira/browse/ZOOKEEPER-2399
> > >
> > >
> > > So are we good in the 3.4 branch after:
> > >
> > >
> > >
> >
> https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8
> > >
> > > or would we still need to backup netty 4.x support to that branch
> > > (eventually)?
> > >
> > >
> > > -rgs
> > >
> > >
> > >
> > > >
> > > >
> > > > Patrick
> > > >
> > > > On Mon, Jun 6, 2016 at 1:51 PM, Michael Han <hanm@cloudera.com>
> wrote:
> > > >
> > > > > FYI branch 3.4 was recently patched with Netty 3.10 to address some
> > of
> > > > the
> > > > > security concerns as described in ZOOKEEPER-2423: Upgrade Netty
> > version
> > > > due
> > > > > to security vulnerability.
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Mon, Jun 6, 2016 at 1:38 PM, Hegde, Pallavi <
> > pallavi_hegde@bmc.com>
> > > > > wrote:
> > > > >
> > > > > > Hello,
> > > > > > We are currently facing some security issues with Zookeeper
> version
> > > > 3.4.7
> > > > > > & 3.4.8, since its bundled with very old version of Netty:jar,
> > > version
> > > > > > 3.7.0.
> > > > > > Could you address this issue in future Zookeeper releases by
> > > packaging
> > > > it
> > > > > > with Netty.jar-4.0.27, or higher version of Netty:jar? I am
sure
> > this
> > > > > will
> > > > > > help many other issues including security violations.
> > > > > >
> > > > > > Thanks
> > > > > > Pallavi
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers
> > > > > Michael.
> > > > >
> > > >
> > >
> >
>
>
>
> --
> Cheers
> Michael.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message