[jira] [Commented] (HADOOP-18646) Upgrade Netty to 4.1.89.Final

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-18646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17693964#comment-17693964
 ] 

ASF GitHub Bot commented on HADOOP-18646:
-----------------------------------------

nao-it commented on PR #5435:
URL: https://github.com/apache/hadoop/pull/5435#issuecomment-1446141140

   > Right,
   > 
   > I have just done the x86 RC this weekend and I am doing the arm64 one 
right now, and with a goal of putting the RC2 out for a vote buy about 17:00 
UTC.
   > 
   > Is the CVE something to which Hadoop is actually vulnerable to?
   > 
   > Because we have lots of other issues and trying to keep every single 
transient jar up to date is a losing battle. If I hold off it will cost time 
and then something else will come up and I absolutely want to get this up for a 
vote by tomorrow. Also, last minute JAR updates are incredibly dangerous nobody 
will have any time to have tested the release for regressions. I am scared of 
them.
   > 
   > I want to get this release out the way and then we can start worrying 
about what we do in a follow up in a few months time -which can absolutely take 
this update as it gives us the time to make sure this update works.
   > 
   > So, please make the case for why this CVE should force the cancelling of 
the in-progress RC. Otherwise given all the other pressing issues we have to 
fix in this release I really want to say no.
   
   I don't have to jump on the outgoing train, you can put a fix in the next 
release, since the RC for the current one is already available.




> Upgrade Netty to 4.1.89.Final
> -----------------------------
>
>                 Key: HADOOP-18646
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18646
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: build
>    Affects Versions: 3.3.4
>            Reporter: Aleksandr Nikolaev
>            Assignee: Aleksandr Nikolaev
>            Priority: Major
>              Labels: pull-request-available
>
> h4. Netty version - 4.1.89 has fix  CVEs: 
> [CVE-2022-41881|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41881]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org