Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZOOKEEPER-3563: dependency check failing on 3.4 and 3.5 branches - CV… #1102

Closed
wants to merge 2 commits into from

Conversation

@phunt
Copy link
Contributor

phunt commented Sep 30, 2019

…E-2019-16869 on Netty

Updated netty to 4.1.42.Final to address CVE-2019-16869

Change-Id: Ia14d695815143cdfcda1d2efcc0d83211cb356dd

…E-2019-16869 on Netty

Updated netty to 4.1.42.Final to address CVE-2019-16869

Change-Id: Ia14d695815143cdfcda1d2efcc0d83211cb356dd
@phunt

This comment has been minimized.

Copy link
Contributor Author

phunt commented Sep 30, 2019

Tests passed for me on my Mac.

@enixon
enixon approved these changes Oct 1, 2019
Copy link

enixon left a comment

Successfully builds on my Mac

+1

Copy link
Contributor

eolivelli left a comment

You are committing a snapshot file. Pleaae remove it.

Do you know why owasp does not have problems on 3.6.0?

I must also note that this is a notable bump in netty version, and in my experience I saw sometimes unexpected problems with netty upgrades.
btw Tests are passing and I am using Netty 1.40 with zk 3.5 in some project, so I am confident we are doing well

@phunt

This comment has been minimized.

Copy link
Contributor Author

phunt commented Oct 1, 2019

@eolivelli I didn't notice the snapshot being committed - what's up with that? Is it a known issue or should I enter a jira? (should new/modified files be in target directory?)

I'll commit an updated patch momentarily.

trunk is on a newer version (but not newest) of netty for some reason compared with 3.5 - not sure why that is but probably not a good idea. That said it seems like if this is a new issue owasp should be flagging, however I did see some back/forth upstream about what version of netty this impacted. Regardless I figured we just update to the very latest netty available.

Change-Id: Ifec29e61feba69d442a2eb9b1f52050ba4c36896
Copy link
Contributor

eolivelli left a comment

LGTM
Thanks @phunt

@eolivelli

This comment has been minimized.

Copy link
Contributor

eolivelli commented Oct 1, 2019

@phunt I think we should log a JIRA for the snapshot file. But I did not track down to the root cause, it happens when you are switching from one branch to the other one (I don't know the sequence).

We should update to latest netty master branch.
Shall we do it in the context of this JIRA ? can you provide a patch for master branch please ?

@phunt

This comment has been minimized.

Copy link
Contributor Author

phunt commented Oct 1, 2019

I will create a separate jira for the snapfile issue.

PR already filed for master: #1103

@phunt

This comment has been minimized.

Copy link
Contributor Author

phunt commented Oct 1, 2019

@nkalmar
nkalmar approved these changes Oct 3, 2019
Copy link
Contributor

nkalmar left a comment

+1

asfgit pushed a commit that referenced this pull request Oct 3, 2019
…E-2019-16869 on Netty

Updated netty to 4.1.42.Final to address CVE-2019-16869

Change-Id: Ia14d695815143cdfcda1d2efcc0d83211cb356dd

Author: Patrick Hunt <phunt@apache.org>

Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Brian Nixon <brian.nixon.cs@gmail.com

Closes #1102 from phunt/zk3563_br35
asfgit pushed a commit that referenced this pull request Oct 3, 2019
…E-2019-16869 on Netty

Updated netty to 4.1.42.Final to address CVE-2019-16869

Change-Id: Ia14d695815143cdfcda1d2efcc0d83211cb356dd

Author: Patrick Hunt <phunt@apache.org>

Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Brian Nixon <brian.nixon.cs@gmail.com

Closes #1102 from phunt/zk3563_br35

(cherry picked from commit 82b04e8)
Signed-off-by: Norbert Kalmar <nkalmar@apache.org>
@nkalmar

This comment has been minimized.

Copy link
Contributor

nkalmar commented Oct 3, 2019

Merged to 3.5 and 3.5.6 branch. Thanks @phunt , ping @eolivelli

@nkalmar nkalmar closed this Oct 3, 2019
@eolivelli

This comment has been minimized.

Copy link
Contributor

eolivelli commented Oct 3, 2019

Thanks @nkalmar
I will create a new RC during the weekend

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.