Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] Upgrade Netty to 4.1.72 - CVE-2021-43797 #13328

Merged
merged 2 commits into from
Dec 15, 2021
Merged

[security] Upgrade Netty to 4.1.72 - CVE-2021-43797 #13328

merged 2 commits into from
Dec 15, 2021

Conversation

nicoloboschi
Copy link
Contributor

@nicoloboschi nicoloboschi commented Dec 15, 2021
edited
Loading

Motivation

Netty versions prior to 4.1.71 are vulnerable to CVE-2021-43797
https://nvd.nist.gov/vuln/detail/CVE-2021-43797

Netty release notes:

Modifications

  • Upgraded Netty libraries to 4.1.72.Final
  • Upgraded netty-tcnative-boringssl-static to 2.0.46.Final which is compatible with Netty 4.1.72.Final

Documentation

  • no-need-doc

@github-actions
Copy link

@nicoloboschi:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@Technoboy- Technoboy- added doc-not-needed Your PR changes do not impact docs area/dependency Pull requests that update a dependency file and removed doc-label-missing labels Dec 15, 2021
@nicoloboschi
Copy link
Contributor Author

/pulsarbot rerun-failure-checks

@nicoloboschi
Copy link
Contributor Author

/pulsarbot rerun-failure-checks

@merlimat merlimat merged commit 6e206f5 into apache:master Dec 15, 2021
merlimat pushed a commit that referenced this pull request Dec 15, 2021
@nicoloboschi @merlimat
[security] Upgrade Netty to 4.1.72 - CVE-2021-43797 (#13328)
f52ac04 
* [security] Upgrade Netty to 4.1.72

* fix licenses files
merlimat pushed a commit that referenced this pull request Dec 15, 2021
@nicoloboschi @merlimat
[security] Upgrade Netty to 4.1.72 - CVE-2021-43797 (#13328)
3b44d67 
* [security] Upgrade Netty to 4.1.72

* fix licenses files
@merlimat merlimat added cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life labels Dec 15, 2021
@merlimat merlimat added this to the 2.10.0 milestone Dec 15, 2021
nicoloboschi added a commit to datastax/pulsar that referenced this pull request Dec 16, 2021
@nicoloboschi
[security] Upgrade Netty to 4.1.72 - CVE-2021-43797 (apache#13328)
0a00ae0 
* [security] Upgrade Netty to 4.1.72

* fix licenses files

(cherry picked from commit 3b44d67)
@nicoloboschi nicoloboschi mentioned this pull request Dec 16, 2021
Merged
1 task
fxbing pushed a commit to fxbing/pulsar that referenced this pull request Dec 19, 2021
@nicoloboschi
[security] Upgrade Netty to 4.1.72 - CVE-2021-43797 (apache#13328)
0e3dd3c 
* [security] Upgrade Netty to 4.1.72

* fix licenses files
nicoloboschi added a commit to datastax/pulsar that referenced this pull request Dec 20, 2021
@nicoloboschi
[security] Upgrade Netty to 4.1.72 - CVE-2021-43797 (apache#13328)
2e0483a 
* [security] Upgrade Netty to 4.1.72

* fix licenses files

(cherry picked from commit 3b44d67)
@lhotari
Copy link
Member

lhotari commented Jan 24, 2022

@merlimat @codelipenghui @rdhabalia This Netty upgrade to 4.1.72.Final brings in a major change in the Netty Recycler. The Netty Recycler was rewritten for Netty 4.1.71.Final in netty/netty#11858 .
It's possible that the improvements in Netty Recycler fix odd thread-safety issues seen in Pulsar, such as #10433 .

This was referenced Jan 24, 2022
Closed
Closed
@lhotari lhotari mentioned this pull request Mar 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merlimat merlimat merlimat approved these changes

@shoothzj shoothzj shoothzj approved these changes

Assignees

@nicoloboschi nicoloboschi

Labels
area/dependency Pull requests that update a dependency file area/security cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life doc-not-needed Your PR changes do not impact docs release/2.8.2 release/2.9.2
Projects
None yet
Milestone
2.10.0
Development

Successfully merging this pull request may close these issues.
6 participants
@nicoloboschi @lhotari @merlimat @shoothzj @Technoboy- @gaoran10