Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 #11844
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
clintropolis
approved these changes
Oct 25, 2021
a2l007
approved these changes
Oct 25, 2021
|
Since it does nothing with integration tests (we don't have integration tests for |
|
SGTM, Thanks @jihoonson |
|
Oh travis was stalled for a while before, but it has passed now 🙂 I'm going to merge this PR. Thanks @a2l007 and @clintropolis! |
jon-wei
pushed a commit
to jon-wei/druid
that referenced
this pull request
Nov 22, 2021
* fix type * Revert "Fix Keyclock auth integration test based on upstream changes (apache#622)" This reverts commit c1083fb. * Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 (apache#11844) * bump netty4 to 4.1.68 * suppress CVE-2021-37136 and CVE-2021-37137 for netty3 * license * add `prometheus-emitter` to distribution (apache#11812) * add `prometheus-emitter` to distribution Signed-off-by: Đặng Minh Dũng <dungdm93@live.com> * add `druid-momentsketch` to distribution Signed-off-by: Đặng Minh Dũng <dungdm93@live.com> * Web console: update typescript 4.4 for faster build speeds (apache#11725) * update typescript * do not show pagination when there is only one page * update snapshots * fix pagination * Remove OffheapIncrementalIndex and clarify aggregator thread-safety needs. (apache#11124) * Remove OffheapIncrementalIndex and clarify aggregator thread-safety needs. This patch does the following: - Removes OffheapIncrementalIndex. - Clarifies that Aggregators are required to be thread safe. - Clarifies that BufferAggregators and VectorAggregators are not required to be thread safe. - Removes thread safety code from some DataSketches aggregators that had it. (Not all of them did, and that's OK, because it wasn't necessary anyway.) - Makes enabling "useOffheap" with groupBy v1 an error. Rationale for removing the offheap incremental index: - It is only used in one rare scenario: groupBy v1 (which is non-default) in "useOffheap" mode (also non-default). So you have to go pretty deep into the wilderness to get this code to activate in production. It is never used during ingestion. - Its existence complicates developer efforts to reason about how aggregators get used, because the way it uses buffer aggregators is so different from how every other query engine uses them. - It doesn't have meaningful testing. By the way, I do believe that the given way the offheap incremental index works, it actually didn't require buffer aggregators to be thread-safe. It synchronizes on "aggregate" and doesn't call "get" until it has stopped calling "aggregate". Nevertheless, this is a bother to think about, and for the above reasons I think it makes sense to remove the code anyway. * Remove things that are now unused. * Revert removal of getFloat, getLong, getDouble from BufferAggregator. * OAK-related warnings, suppressions. * Unused item suppressions. Co-authored-by: Đặng Minh Dũng <dungdm93@live.com> Co-authored-by: Vadim Ogievetsky <vadim@ogievetsky.com> Co-authored-by: Gian Merlino <gianmerlino@gmail.com>
gianm
pushed a commit
that referenced
this pull request
Dec 10, 2021
… netty3 (#11844) * bump netty4 to 4.1.68 * suppress CVE-2021-37136 and CVE-2021-37137 for netty3 * license
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
CVE descriptions are found in https://nvd.nist.gov/vuln/detail/CVE-2021-37136 and https://nvd.nist.gov/vuln/detail/CVE-2021-37137. For netty 3, I suppressed these CVEs since we don't support either Snappy or Bzip2 AFAIT. For netty 4, it seems that we use it only for
HttpPostEmitterwhich supports only Gzip. But I bumped its version anyway since it's a minor version update. The security vulnerability check still fails because of https://nvd.nist.gov/vuln/detail/CVE-2021-32626, but I would like to handle it in a separate PR.This PR has: