ZOOKEEPER-4209: Update Netty to 4.1.59.Final

[frederiko]

Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439

[frederiko]

I realized this GH Action has been failing for most PR at different tests (I had these tests failing at different tests), which seems an indication of environment issue. How is this approached since the Jenkins job passes correctly?

[ztzg]

Thank you.

Would you mind also renaming the relevant *.LICENSE.txt files in the zookeeper-server/src/main/resources/lib directory? (This is annoying, and we should probably get rid of it. But let's keep things aligned for now.)

I realized this GH Action has been failing for most PR at different tests (I had these tests failing at different tests), which seems an indication of environment issue. How is this approached since the Jenkins job passes correctly?

This should soon be fix^H^H^H worked around: #1606.

Best, -D

[frederiko]

@ztzg Thanks for the feedback. I have made the changes. Wasn't aware of these license files.
Yeah, I also noticed #1606 yesterday.

Cheers ;-)

[eolivelli]

LGTM

[ztzg]

Thanks; LGTM!

[ztzg]

Picked into branch-3.5, branch-3.6, branch-3.7, branch-3.7.0, and master. Thank you, @frederiko!

[frederiko]

Many thanks! Lifesaver to me. Hope to contribute more soon. Quick question: what's the next step to get a new release (3.5.10?, 3.6.3?) - sorry, couldn't find the process ?

[eolivelli]

@ztzg in order to pick this to branch-3.5 we have to add a new patch because in branch-3.5 we also have Ant/Ivy XML files to update

@frederiko would you mind creating a second PR for branch-3.5 with the update of the Ivi dependency files ?

[frederiko]

Sure thing. I believe I have addressed on #1607 @eolivelli

[ztzg]

@eolivelli: Oops; sorry about that.
@frederiko: Thanks!

[ztzg]

Many thanks! Lifesaver to me. Hope to contribute more soon. Quick question: what's the next step to get a new release (3.5.10?, 3.6.3?) - sorry, couldn't find the process ?

@frederiko: I'm not aware of any process for triggering new releases, besides perhaps asking on the dev@ mailing list. We had one on the 3.5 branch fairly recently, so it may not be easy to find volunteers. (I, for one, am desperately trying to get 3.7 out—and cannot promise anything before that happens.)

SNYK-JAVA-IONETTY-1020439 is described as a "Denial of Service" attack, and ZooKeeper is usually not exposed. So is this upgrade a "Lifesaver" because you have to comply with some "zero vulnerabilities" policy, or because you actually expect issues?

Building ZooKeeper from Git is not very difficult, so that may be a temporary option?

(In some contexts, we deploy self-built ZooKeeper instances as we still need a few patches applied on top of the branch(es)—meaning we automatically get the latest CVE fixes. In other contexts, we are trying to deploy pure releases, and are going to hit the same issue. As far as I can tell, the Maven model is kinda "anti-dependency-injection," so the only option seems to be accelerating the release cadence. A lot of work has been made to facilitate that, but I'm afraid, the project doesn't have a good answer for the manual work which is still needed.)

@eolivelli: Am I missing something?

[eolivelli]

You can only ask for a release on dev@zookeeper.apache.org.

As said we released 3.5.9 last month...and this issue does not affect Zookeeper. So I am not sure we are really in an hurry.

On the client side you can override the dependency.

Btw, you can always ask and describe your needs. Then together as a community we will decide what to do

[frederiko]

@ztzg Yeah, this update is to reach zero vulnerability policy. "lifesaver" was a bad wording choice here. ;-) I don't really expect any issues. In regards to building, I was unaware of the release cadence, hence the question, and yes, I can try building myself and go from there, no need to raise the question to devs.

@eolivelli Understood. I will certainly take any concerns to the community. In any case, I truly appreciate the speed which the PRs have been approved.

[ztzg]

@ztzg Yeah, this update is to reach zero vulnerability policy. "lifesaver" was a bad wording choice here. ;-) I don't really expect any issues.

No problem; I was just wondering.