zookeeper icon indicating copy to clipboard operation
zookeeper copied to clipboard
verified publisher icon apache

ZOOKEEPER-4529 : Upgrade netty to 4.1.75.Final

Open AnanyaSingh2121 opened this issue 3 years ago • 7 comments

AnanyaSingh2121 avatar Apr 25 '22 12:04 AnanyaSingh2121

@Shoothzj do we require tc-native..? is it used ..? I think, we should remove it (https://github.com/apache/zookeeper/blob/master/pom.xml#L562)..?

brahmareddybattula avatar Apr 26 '22 05:04 brahmareddybattula

@brahmareddybattula now we have netty-tcnative dependency in zookeeper-server's pom.xml. So I think, we need it.

hezhangjian avatar Apr 27 '22 00:04 hezhangjian

@Shoothzj the tcnative dependency was coming with netty 4.1.73 version. Upgrading netty and removing tcnative related changes should also resolve the CVEs as tcnative is not a dependency after netty version 4.1.75.

AnanyaSingh2121 avatar Apr 27 '22 04:04 AnanyaSingh2121

IMO, after this PR, we can revert ZOOKEEPER-4462 which introduced solve the tc-native CVE's..

brahmareddybattula avatar Apr 27 '22 05:04 brahmareddybattula

I was wondering why the CVs mentioned in jira do not appear in [OWASP CI|https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/]. It is because all those CVs are suppressed

If CVs are resolved by upgrading the jar, better to upgrade the jar and remove the suppressions.

@AnanyaSingh2121 please remove the suppressions also

arshadmohammad avatar Apr 27 '22 18:04 arshadmohammad

IMO, after this PR, we can revert ZOOKEEPER-4462 which introduced solve the tc-native CVE's.. yes, it should be deleted

arshadmohammad avatar Apr 27 '22 18:04 arshadmohammad

If we don't need to specify tc-native version, we can delete tc-native version in this PR. IMHO, It's doesn't worth to open other pr for it.

hezhangjian avatar Apr 27 '22 23:04 hezhangjian

outdated.

anmolnar avatar Oct 03 '23 13:10 anmolnar