ZOOKEEPER-3563: dependency check failing on 3.4 and 3.5 branches - CV…

[phunt]

…E-2019-16869 on Netty

Updated netty to 4.1.42.Final to address CVE-2019-16869

Change-Id: Ia14d695815143cdfcda1d2efcc0d83211cb356dd

[phunt]

Tests passed for me on my Mac.

[enixon]

Successfully builds on my Mac

+1

[eolivelli]

You are committing a snapshot file. Pleaae remove it.

Do you know why owasp does not have problems on 3.6.0?

I must also note that this is a notable bump in netty version, and in my experience I saw sometimes unexpected problems with netty upgrades.
btw Tests are passing and I am using Netty 1.40 with zk 3.5 in some project, so I am confident we are doing well

[phunt]

@eolivelli I didn't notice the snapshot being committed - what's up with that? Is it a known issue or should I enter a jira? (should new/modified files be in target directory?)

I'll commit an updated patch momentarily.

trunk is on a newer version (but not newest) of netty for some reason compared with 3.5 - not sure why that is but probably not a good idea. That said it seems like if this is a new issue owasp should be flagging, however I did see some back/forth upstream about what version of netty this impacted. Regardless I figured we just update to the very latest netty available.

[eolivelli]

LGTM
Thanks @phunt

[eolivelli]

@phunt I think we should log a JIRA for the snapshot file. But I did not track down to the root cause, it happens when you are switching from one branch to the other one (I don't know the sequence).

We should update to latest netty master branch.
Shall we do it in the context of this JIRA ? can you provide a patch for master branch please ?

[phunt]

I will create a separate jira for the snapfile issue.

PR already filed for master: #1103

[phunt]

snapfile: https://issues.apache.org/jira/browse/ZOOKEEPER-3565

[nkalmar]

+1

[nkalmar]

Merged to 3.5 and 3.5.6 branch. Thanks @phunt , ping @eolivelli

[eolivelli]

Thanks @nkalmar
I will create a new RC during the weekend