Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZOOKEEPER-4532: Bump jetty to 9.4.46.v20220331(avoids CVE-2022-22965) #1866

Closed
wants to merge 1 commit into from
Closed

ZOOKEEPER-4532: Bump jetty to 9.4.46.v20220331(avoids CVE-2022-22965) #1866

wants to merge 1 commit into from

Conversation

fu-turer
Copy link

No description provided.

@fu-turer
Copy link
Author

@maoling @eolivelli

@arshadmohammad
Copy link
Contributor

This PR is related to which jira? Please mention the jira number in the PR title.

eolivelli
eolivelli requested changes Apr 27, 2022
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please also update the License files?

@fu-turer fu-turer changed the title Bump jetty to 9.4.46.v20220331(avoids CVE-2022-2296) ZOOKEEPER-4532: Bump jetty to 9.4.46.v20220331(avoids CVE-2022-2296) Apr 28, 2022
@fu-turer
Copy link
Author

This PR is related to which jira? Please mention the jira number in the PR title.

@arshadmohammad done

@fu-turer
Copy link
Author

fu-turer commented Apr 28, 2022
edited

Can you please also update the License files?

@eolivelli done

@fu-turer fu-turer requested a review from eolivelli April 28, 2022 13:59
@arshadmohammad
Copy link
Contributor

@fu-turer
How CVE-2022-2296 is related to jetty, can you pls provide some information.
If this CVE is applicable to used jetty version 9.4.43.v20210629, any idea why dependency-check:check is not failing ?

@fu-turer
Copy link
Author

fu-turer commented May 9, 2022

@fu-turer How CVE-2022-2296 is related to jetty, can you pls provide some information. If this CVE is applicable to used jetty version 9.4.43.v20210629, any idea why dependency-check:check is not failing ?

@arshadmohammad sorry,it should be CVE-2022-22965

@fu-turer fu-turer changed the title ZOOKEEPER-4532: Bump jetty to 9.4.46.v20220331(avoids CVE-2022-2296) ZOOKEEPER-4532: Bump jetty to 9.4.46.v20220331(avoids CVE-2022-22965) May 9, 2022
@shoothzj shoothzj mentioned this pull request May 17, 2022
Closed
symat
symat approved these changes May 17, 2022
View reviewed changes
Copy link
Contributor

@symat symat left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@symat
Copy link
Contributor

symat commented May 17, 2022

sorry,it should be CVE-2022-22965

actually CVE-2022-22965 is about Spring (and we don't use Spring in ZooKeeper). I think the CVE you are looking for is CVE-2022-24823. At lease when I run the CVE check on the current master branch, this is the only CVE it finds and it is indeed fixed with netty update.

I'll update the title accordingly

@symat
Copy link
Contributor

symat commented May 17, 2022

this is the only CVE it finds and it is indeed fixed with netty update.

hmm... but this PR is about jetty, not netty. So why do we want to upgrade jetty? Maybe I misunderstand something... @fu-turer , why do you think this CVE-2022-22965 is affecting ZooKeeper and how this is related to Jetty?

@symat
Copy link
Contributor

symat commented May 17, 2022

On the other hand we don't necessarily need a CVE to upgrade jetty I think. I just want to understand the reasoning.

@edwin092
Copy link
Contributor

Will this get merged? I see ZOOKEEPER-4599 reported also for CVE-2022-2048 on the current Jetty version.

@symat
Copy link
Contributor

symat commented Sep 26, 2022

Thank you @edwin092 , CVE-2022-2048 indeed looks scary and it does affect ZooKeeper. Unfortunately we need at least jetty 9.4.47 to fix it, so this PR in its current form is not enough.

@fu-turer - can you update your PR to go up to Jetty 9.4.47? Then I can merge it to all active branches.
Or if you have no time for it, then I can submit an other PR for ZOOKEEPER-4599
Thank you!!

@edwin092
Copy link
Contributor

@fu-turer @symat any chance this will get addressed?

@fu-turer fu-turer closed this Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctubbsii ctubbsii ctubbsii approved these changes

@shoothzj shoothzj shoothzj approved these changes

@symat symat symat approved these changes

@eolivelli eolivelli Awaiting requested review from eolivelli

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
7 participants
@fu-turer @arshadmohammad @symat @edwin092 @ctubbsii @eolivelli @shoothzj