Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id DB161200B25 for ; Wed, 8 Jun 2016 17:31:40 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id D9D54160A0E; Wed, 8 Jun 2016 15:31:40 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 2F441160A2E for ; Wed, 8 Jun 2016 17:31:40 +0200 (CEST) Received: (qmail 47651 invoked by uid 500); 8 Jun 2016 15:31:38 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 47635 invoked by uid 99); 8 Jun 2016 15:31:38 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jun 2016 15:31:38 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 2E6311A04CF for ; Wed, 8 Jun 2016 15:31:38 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.252 X-Spam-Level: ** X-Spam-Status: No, score=2.252 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_SOFTFAIL=0.972] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=itevenworks-net.20150623.gappssmtp.com Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id czoSi-6W0tyx for ; Wed, 8 Jun 2016 15:31:34 +0000 (UTC) Received: from mail-oi0-f50.google.com (mail-oi0-f50.google.com [209.85.218.50]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id BA7705FB23 for ; Wed, 8 Jun 2016 15:31:33 +0000 (UTC) Received: by mail-oi0-f50.google.com with SMTP id p204so18308501oih.3 for ; Wed, 08 Jun 2016 08:31:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=itevenworks-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=KA00TE/zCvkrwhrL9saae9C+lSI/Ps8GZ5tpGe6kKxY=; b=aBXZ5WV7RE2Ncs8Gf2K6XR/DsDH5dXbLf8g8sd4y9FjBGqlJHM673EP4sp0dnJP1kZ AtqsHNiKOGJpnaEQA0XoPAA0CBNnAm0C0OL21jCCpF5s0k2QZIy3kmHA8UXOPw+r3dLp pZWlWIubX6UQnd7DJ98mjeb6+ztOPOaR3l4gNpXNnoBEOCKtM6yRVrLQH3sU6lk+iIdG C8QNHeAG8BUErQUpcvLoQRGtp7LpWob8JeMXZoLHiYDROJ5LVJy0pj2Qg6AMKhXn6EAT TN2wdM+MFqEtgIUwicStLEXahzuQ2ujxLIOtB1gdmtWXFiVVXCA7VblBlG1Qu4QdHKnQ 5WTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=KA00TE/zCvkrwhrL9saae9C+lSI/Ps8GZ5tpGe6kKxY=; b=LkEa+1i4ULyYpFhIF4RIwseIvqQ4942xODGCAkFZx9Wwu7JO6/BbyCv7h8XuzOZYXo EAcVgBBNdWlXdo+nqu1yy+fHWVlJur95kzc22syt1XBGNIXHxYyrAWZEhEsuRuv05Qq7 B7AyPdUSbmoFtnj64tNMDEXDJBH7Pl4VmxDNgcmcoB1a/S+mIWVwwofZ5esxb9CezhyD NCvzY6J1blUJffyuuuumwkfO+bzJhVOeVyC2jae689Zy4zDkkZbqvH2eYSTFfRw6vS8u ZNXDG+YF6GZ5i5bCXq/Yu+baYOLTPcWlolEBovaUf4xuDfePx7hOiQJGW5tYfq8I80vO KEXA== X-Gm-Message-State: ALyK8tLsZ9T91yCWcrePUDPMbcTZTH9faErB2M3Wa/jTtHNWNv+DsA6qODkfFmpOGPFjQenPT5RuLuMQugo9Gw== MIME-Version: 1.0 X-Received: by 10.202.114.136 with SMTP id p130mr3283494oic.169.1465399892339; Wed, 08 Jun 2016 08:31:32 -0700 (PDT) Received: by 10.202.239.10 with HTTP; Wed, 8 Jun 2016 08:31:32 -0700 (PDT) X-Originating-IP: [2601:646:4200:5b5:8286:f2ff:febc:8b7b] In-Reply-To: References: Date: Wed, 8 Jun 2016 08:31:32 -0700 Message-ID: Subject: Re: Zookeeper 3.4.8 is bundled with old version of Netty:jar From: =?UTF-8?B?UmHDumwgR3V0acOpcnJleiBTZWdhbMOpcw==?= To: "dev@zookeeper.apache.org" Cc: UserZooKeeper Content-Type: multipart/alternative; boundary=001a1134f96a09894b0534c60035 archived-at: Wed, 08 Jun 2016 15:31:41 -0000 --001a1134f96a09894b0534c60035 Content-Type: text/plain; charset=UTF-8 On 7 June 2016 at 18:48, Patrick Hunt wrote: > There is a jira for this already. Someone want to drive this one? > > https://issues.apache.org/jira/browse/ZOOKEEPER-2399 So are we good in the 3.4 branch after: https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8 or would we still need to backup netty 4.x support to that branch (eventually)? -rgs > > > Patrick > > On Mon, Jun 6, 2016 at 1:51 PM, Michael Han wrote: > > > FYI branch 3.4 was recently patched with Netty 3.10 to address some of > the > > security concerns as described in ZOOKEEPER-2423: Upgrade Netty version > due > > to security vulnerability. > > > > > > > https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8 > > > > > > > > > > On Mon, Jun 6, 2016 at 1:38 PM, Hegde, Pallavi > > wrote: > > > > > Hello, > > > We are currently facing some security issues with Zookeeper version > 3.4.7 > > > & 3.4.8, since its bundled with very old version of Netty:jar, version > > > 3.7.0. > > > Could you address this issue in future Zookeeper releases by packaging > it > > > with Netty.jar-4.0.27, or higher version of Netty:jar? I am sure this > > will > > > help many other issues including security violations. > > > > > > Thanks > > > Pallavi > > > > > > > > > > > > -- > > Cheers > > Michael. > > > --001a1134f96a09894b0534c60035--