-
Notifications
You must be signed in to change notification settings - Fork 7.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZOOKEEPER-4532: Bump jetty to 9.4.46.v20220331(avoids CVE-2022-22965) #1866
Conversation
This PR is related to which jira? Please mention the jira number in the PR title. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please also update the License files?
@arshadmohammad done |
@eolivelli done |
@fu-turer |
@arshadmohammad sorry,it should be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
actually CVE-2022-22965 is about Spring (and we don't use Spring in ZooKeeper). I think the CVE you are looking for is CVE-2022-24823. At lease when I run the CVE check on the current master branch, this is the only CVE it finds and it is indeed fixed with netty update. I'll update the title accordingly |
hmm... but this PR is about jetty, not netty. So why do we want to upgrade jetty? Maybe I misunderstand something... @fu-turer , why do you think this CVE-2022-22965 is affecting ZooKeeper and how this is related to Jetty? |
On the other hand we don't necessarily need a CVE to upgrade jetty I think. I just want to understand the reasoning. |
Will this get merged? I see ZOOKEEPER-4599 reported also for CVE-2022-2048 on the current Jetty version. |
Thank you @edwin092 , CVE-2022-2048 indeed looks scary and it does affect ZooKeeper. Unfortunately we need at least jetty 9.4.47 to fix it, so this PR in its current form is not enough. @fu-turer - can you update your PR to go up to Jetty 9.4.47? Then I can merge it to all active branches. |
No description provided.