Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update netty and zookeeper #16267

Merged
merged 2 commits into from
Apr 16, 2024
Merged

update netty and zookeeper #16267

merged 2 commits into from
Apr 16, 2024

Conversation

janjwerner-confluent
Copy link
Contributor

@janjwerner-confluent janjwerner-confluent commented Apr 11, 2024
edited

Description

Update dependencies to address CVEs:

  • Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
  • Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

Release note

  • Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
  • Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@findingrish
Copy link
Contributor

Hi @janjwerner-confluent, thanks for the change.

To fix the build failure, I think we will have to update the io.netty:netty-tcnative-boringssl-static version in licenses.yaml.
The netty version upgrade is bringing in a higher version of this dependency in azure-extension module.

[INFO] +- com.azure:azure-identity:jar:1.11.1:compile
[INFO] |  +- com.azure:azure-core-http-netty:jar:1.13.11:compile
[INFO] |  |  +- io.netty:netty-codec-http2:jar:4.1.108.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-unix-common:jar:4.1.108.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.108.Final:compile
[INFO] |  |  |  \- io.netty:netty-transport-classes-kqueue:jar:4.1.108.Final:compile
[INFO] |  |  +- io.netty:netty-tcnative-boringssl-static:jar:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-classes:jar:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.65.Final:compile
[INFO] |  |  |  \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.65.Final:compile

@janjwerner-confluent
Copy link
Contributor Author

Hey @findingrish
I'm on it, just got stuck with other work and could not follow up on this.
Thanks!

@xvrl xvrl merged commit c45da43 into apache:master Apr 16, 2024
86 checks passed
@janjwerner-confluent janjwerner-confluent deleted the cve-cleanup branch April 16, 2024 03:48
@adarshsanjeev adarshsanjeev added this to the 30.0.0 milestone May 6, 2024
@adarshsanjeev adarshsanjeev mentioned this pull request May 28, 2024
Open
pagrawal10 pushed a commit to confluentinc/druid that referenced this pull request Jun 1, 2024
@janjwerner-confluent @pagrawal10
update netty and zookeeper dependencies to address CVEs (apache#16267)
6e6d278 
 Update dependencies to address CVEs:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

Release notes:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944
pagrawal10 pushed a commit to confluentinc/druid that referenced this pull request Jun 1, 2024
@janjwerner-confluent @pagrawal10
update netty and zookeeper dependencies to address CVEs (apache#16267)
8540445 
 Update dependencies to address CVEs:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

Release notes:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944
@pagrawal10 pagrawal10 mentioned this pull request Jun 1, 2024
Merged
10 tasks
pagrawal10 pushed a commit to confluentinc/druid that referenced this pull request Jun 3, 2024
@janjwerner-confluent @pagrawal10
update netty and zookeeper dependencies to address CVEs (apache#16267)
12d31f0 
 Update dependencies to address CVEs:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

Release notes:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xvrl xvrl xvrl approved these changes

Assignees
No one assigned
Labels
Area - Dependencies
Projects
None yet
Milestone
30.0.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@janjwerner-confluent @findingrish @xvrl @adarshsanjeev