[jira] [Commented] (HADOOP-18646) Upgrade Netty to 4.1.89.Final

Mon, 27 Feb 2023 03:08:10 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17693961#comment-17693961
 ] 

ASF GitHub Bot commented on HADOOP-18646:
-----------------------------------------

steveloughran commented on PR #5435:
URL: https://github.com/apache/hadoop/pull/5435#issuecomment-1446129044

   Right,
   
   I have just done the x86 RC this weekend and I am doing the arm64 one right 
now, and with a goal of putting the RC2 out for a vote buy about 17:00 UTC.
   
   Is the CVE something to which Hadoop is actually vulnerable to?
   
   Because we have lots of other issues and trying to keep every single 
transient jar up to date is a losing battle. If I hold off it will cost time 
and then something else will come up and I absolutely want to get this up for a 
vote by tomorrow. Also, last minute JAR updates are incredibly dangerous nobody 
will have any time to have tested the release for regressions. I am scared of 
them.
   
   I want to get this release out the way and then we can start worrying about 
what we do in a follow up in a few months time -which can absolutely take this 
update as it gives us the time to make sure this update works.
   
   So, please make the case for why this CVE should force the cancelling of the 
in-progress RC. Otherwise given all the other pressing issues we have to fix in 
this release I really want to say no.




> Upgrade Netty to 4.1.89.Final
> -----------------------------
>
>                 Key: HADOOP-18646
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18646
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 3.3.4
>            Reporter: Aleksandr Nikolaev
>            Assignee: Aleksandr Nikolaev
>            Priority: Major
>              Labels: pull-request-available
>
> h4. Netty version - 4.1.89 has fix  CVEs: 
> [CVE-2022-41881|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41881]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to