Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZOOKEEPER-4209: Update Netty to 4.1.53.Final on 3.5. branch #1603

Closed
wants to merge 6 commits into from
Closed

ZOOKEEPER-4209: Update Netty to 4.1.53.Final on 3.5. branch #1603

wants to merge 6 commits into from

Conversation

frederiko
Copy link
Contributor

Upgrade Netty to 4.1.53.Final on 3.5 branch to address the vulnerability describe at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439

nkalmar and others added 6 commits November 26, 2020 15:33
@nkalmar
Preparing for release 3.5.9
713b41b
@ztzg @nkalmar
ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v202011…
d2f60ed 
…02 - CVE-2020-27218

Bump jetty.version to 9.4.35.v20201120.

The [release notes](https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.35.v20201120)
mention [issues 5605](jetty/jetty.project#5605):

> java.io.IOException: unconsumed input during http request parsing

which seems to match the description of
[CVE-2020-27218](http://cve.circl.lu/cve/CVE-2020-27218)

Author: Damien Diederen <dd@crosstwine.com>

Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>

Closes apache#1554 from ztzg/jetty-upgrade-CVE-2020-27218-branch-3.5

(cherry picked from commit eb348a1)
@nkalmar
Preparing for release 3.5.9
7850176
@nkalmar
ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1
5ea966a 
Jackson reported a vulnerability under CVE-2020-25649. Upgrading to 2.10.5.1 will resolve the problem. See https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10#micro-patches for more details.

Author: Edwin Hobor <edwin.hobor@microfocus.com>

Reviewers: Mate Szalay-Beko <symat@apache.org>, Norbert Kalmar <nkalmar@apache.org>

Closes apache#1572 from edwin092/ZOOKEEPER-4045

(cherry picked from commit 676d10b)
Signed-off-by: Norbert Kalmar <nkalmar@apache.org>
(cherry picked from commit 29315f8)
@nkalmar
Preparing for release 3.5.9
83df930
@frederiko
ZOOKEEPER-4209: Upgrade Netty to 4.1.53.Final
477ae60
@frederiko frederiko closed this Feb 14, 2021
@frederiko frederiko deleted the netty-upgrade branch February 14, 2021 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@frederiko @nkalmar @ztzg