Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 31D39200B33 for ; Wed, 15 Jun 2016 06:17:37 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 30781160A06; Wed, 15 Jun 2016 04:17:37 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 750B9160A56 for ; Wed, 15 Jun 2016 06:17:36 +0200 (CEST) Received: (qmail 29087 invoked by uid 500); 15 Jun 2016 04:17:34 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 28058 invoked by uid 99); 15 Jun 2016 04:17:34 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Jun 2016 04:17:34 +0000 Received: from mail-lf0-f46.google.com (mail-lf0-f46.google.com [209.85.215.46]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id ACA8D1A0222; Wed, 15 Jun 2016 04:17:33 +0000 (UTC) Received: by mail-lf0-f46.google.com with SMTP id l188so2104648lfe.2; Tue, 14 Jun 2016 21:17:33 -0700 (PDT) X-Gm-Message-State: ALyK8tKDQNGHyctOLa0RGEZt67ml5MUWb1UfPoEEmfQZQ5YxoByJz6B5BTPnHwYj53indaYGwArrYKlUIBX+AQ== X-Received: by 10.25.16.230 with SMTP id 99mr2533703lfq.21.1465964250367; Tue, 14 Jun 2016 21:17:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.26.68 with HTTP; Tue, 14 Jun 2016 21:16:50 -0700 (PDT) In-Reply-To: References: From: Patrick Hunt Date: Tue, 14 Jun 2016 21:16:50 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Zookeeper 3.4.8 is bundled with old version of Netty:jar To: DevZooKeeper Cc: UserZooKeeper Content-Type: multipart/alternative; boundary=001a11403604659201053549662e archived-at: Wed, 15 Jun 2016 04:17:37 -0000 --001a11403604659201053549662e Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Pallavi do you have any insight into this? Michael? Are we ok with 3.x netty or is there some security related fix we are missing that would require 3.4 to upgrade to 4.x? Patrick On Wed, Jun 8, 2016 at 8:31 AM, Ra=C3=BAl Guti=C3=A9rrez Segal=C3=A9s wrote: > On 7 June 2016 at 18:48, Patrick Hunt wrote: > > > There is a jira for this already. Someone want to drive this one? > > > > https://issues.apache.org/jira/browse/ZOOKEEPER-2399 > > > So are we good in the 3.4 branch after: > > > https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491d= c6c65174f8 > > or would we still need to backup netty 4.x support to that branch > (eventually)? > > > -rgs > > > > > > > > > Patrick > > > > On Mon, Jun 6, 2016 at 1:51 PM, Michael Han wrote: > > > > > FYI branch 3.4 was recently patched with Netty 3.10 to address some o= f > > the > > > security concerns as described in ZOOKEEPER-2423: Upgrade Netty versi= on > > due > > > to security vulnerability. > > > > > > > > > > > > https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491d= c6c65174f8 > > > > > > > > > > > > > > > On Mon, Jun 6, 2016 at 1:38 PM, Hegde, Pallavi > > > wrote: > > > > > > > Hello, > > > > We are currently facing some security issues with Zookeeper version > > 3.4.7 > > > > & 3.4.8, since its bundled with very old version of Netty:jar, > version > > > > 3.7.0. > > > > Could you address this issue in future Zookeeper releases by > packaging > > it > > > > with Netty.jar-4.0.27, or higher version of Netty:jar? I am sure th= is > > > will > > > > help many other issues including security violations. > > > > > > > > Thanks > > > > Pallavi > > > > > > > > > > > > > > > > > -- > > > Cheers > > > Michael. > > > > > > --001a11403604659201053549662e--