[ https://issues.apache.org/jira/browse/HADOOP-16544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16943775#comment-16943775 ]
Wei-Chiu Chuang commented on HADOOP-16544: ------------------------------------------ I just want to emphasize that netty 3.6.2Final is vulnerable to CVE-2014-0193 (medium), CVE-2015-2156 (high)and CVE-2014-3488 (medium). I haven't verified if the change causes compat issue, but we really should move up. > update io.netty in branch-2 > --------------------------- > > Key: HADOOP-16544 > URL: https://issues.apache.org/jira/browse/HADOOP-16544 > Project: Hadoop Common > Issue Type: Task > Reporter: Wei-Chiu Chuang > Assignee: Masatake Iwasaki > Priority: Major > Labels: release-blocker > Fix For: 2.10.0 > > Attachments: HADOOP-16544-branch-2.001.patch, > HADOOP-16544-branch-2.002.patch, HADOOP-16544-branch-2.003.patch, > HADOOP-16544-branch-2.004.patch > > > branch-2 pulls in io.netty 3.6.2.Final which is more than 5 years old. > The latest is 3.10.6Final. I know updating netty is sensitive but it deserves > some attention. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org