-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 #11844
Conversation
Since it does nothing with integration tests (we don't have integration tests for |
SGTM, Thanks @jihoonson |
Oh travis was stalled for a while before, but it has passed now 🙂 I'm going to merge this PR. Thanks @a2l007 and @clintropolis! |
* fix type * Revert "Fix Keyclock auth integration test based on upstream changes (apache#622)" This reverts commit c1083fb. * Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 (apache#11844) * bump netty4 to 4.1.68 * suppress CVE-2021-37136 and CVE-2021-37137 for netty3 * license * add `prometheus-emitter` to distribution (apache#11812) * add `prometheus-emitter` to distribution Signed-off-by: Đặng Minh Dũng <dungdm93@live.com> * add `druid-momentsketch` to distribution Signed-off-by: Đặng Minh Dũng <dungdm93@live.com> * Web console: update typescript 4.4 for faster build speeds (apache#11725) * update typescript * do not show pagination when there is only one page * update snapshots * fix pagination * Remove OffheapIncrementalIndex and clarify aggregator thread-safety needs. (apache#11124) * Remove OffheapIncrementalIndex and clarify aggregator thread-safety needs. This patch does the following: - Removes OffheapIncrementalIndex. - Clarifies that Aggregators are required to be thread safe. - Clarifies that BufferAggregators and VectorAggregators are not required to be thread safe. - Removes thread safety code from some DataSketches aggregators that had it. (Not all of them did, and that's OK, because it wasn't necessary anyway.) - Makes enabling "useOffheap" with groupBy v1 an error. Rationale for removing the offheap incremental index: - It is only used in one rare scenario: groupBy v1 (which is non-default) in "useOffheap" mode (also non-default). So you have to go pretty deep into the wilderness to get this code to activate in production. It is never used during ingestion. - Its existence complicates developer efforts to reason about how aggregators get used, because the way it uses buffer aggregators is so different from how every other query engine uses them. - It doesn't have meaningful testing. By the way, I do believe that the given way the offheap incremental index works, it actually didn't require buffer aggregators to be thread-safe. It synchronizes on "aggregate" and doesn't call "get" until it has stopped calling "aggregate". Nevertheless, this is a bother to think about, and for the above reasons I think it makes sense to remove the code anyway. * Remove things that are now unused. * Revert removal of getFloat, getLong, getDouble from BufferAggregator. * OAK-related warnings, suppressions. * Unused item suppressions. Co-authored-by: Đặng Minh Dũng <dungdm93@live.com> Co-authored-by: Vadim Ogievetsky <vadim@ogievetsky.com> Co-authored-by: Gian Merlino <gianmerlino@gmail.com>
… netty3 (#11844) * bump netty4 to 4.1.68 * suppress CVE-2021-37136 and CVE-2021-37137 for netty3 * license
Description
CVE descriptions are found in https://nvd.nist.gov/vuln/detail/CVE-2021-37136 and https://nvd.nist.gov/vuln/detail/CVE-2021-37137. For netty 3, I suppressed these CVEs since we don't support either Snappy or Bzip2 AFAIT. For netty 4, it seems that we use it only for
HttpPostEmitter
which supports only Gzip. But I bumped its version anyway since it's a minor version update. The security vulnerability check still fails because of https://nvd.nist.gov/vuln/detail/CVE-2021-32626, but I would like to handle it in a separate PR.This PR has: