[jira] [Commented] (HADOOP-19788) Upgrade Netty due to CVE-2025-67735

ASF GitHub Bot (Jira) Wed, 11 Mar 2026 02:33:08 -0700


    [ 
https://issues.apache.org/jira/browse/HADOOP-19788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18065028#comment-18065028
 ]


ASF GitHub Bot commented on HADOOP-19788:
-----------------------------------------

hadoop-yetus commented on PR #8188:
URL: https://github.com/apache/hadoop/pull/8188#issuecomment-4037783462

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |:----:|----------:|--------:|:--------:|:-------:|
   | +0 :ok: |  reexec  |   0m 51s |  |  Docker mode activated.  |
   |||| _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  0s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  0s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
   |||| _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |   2m  6s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  53m  6s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  17m 26s |  |  trunk passed with JDK 
Ubuntu-21.0.10+7-Ubuntu-124.04  |
   | +1 :green_heart: |  compile  |  18m  3s |  |  trunk passed with JDK 
Ubuntu-17.0.18+8-Ubuntu-124.04.1  |
   | +1 :green_heart: |  mvnsite  |  19m 56s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   9m 35s |  |  trunk passed with JDK 
Ubuntu-21.0.10+7-Ubuntu-124.04  |
   | +1 :green_heart: |  javadoc  |   9m 31s |  |  trunk passed with JDK 
Ubuntu-17.0.18+8-Ubuntu-124.04.1  |
   | +1 :green_heart: |  shadedclient  |  51m 34s |  |  branch has no errors 
when building and testing our client artifacts.  |
   | -0 :warning: |  patch  |  51m 57s |  |  Used diff version of patch file. 
Binary files and potentially other changes not applied. Please rebase and 
squash commits if necessary.  |
   |||| _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 34s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  43m  9s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  17m 25s |  |  the patch passed with JDK 
Ubuntu-21.0.10+7-Ubuntu-124.04  |
   | +1 :green_heart: |  javac  |  17m 25s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  18m  7s |  |  the patch passed with JDK 
Ubuntu-17.0.18+8-Ubuntu-124.04.1  |
   | +1 :green_heart: |  javac  |  18m  7s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  19m 57s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   9m 35s |  |  the patch passed with JDK 
Ubuntu-21.0.10+7-Ubuntu-124.04  |
   | +1 :green_heart: |  javadoc  |   9m 30s |  |  the patch passed with JDK 
Ubuntu-17.0.18+8-Ubuntu-124.04.1  |
   | +1 :green_heart: |  shadedclient  |  52m 23s |  |  patch has no errors 
when building and testing our client artifacts.  |
   |||| _ Other Tests _ |
   | -1 :x: |  unit  | 812m 16s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8188/3/artifact/out/patch-unit-root.txt)
 |  root in the patch failed.  |
   | +1 :green_heart: |  asflicense  |   1m 51s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1133m 24s |  |  |
   
   
   | Reason | Tests |
   |-------:|:------|
   | Failed junit tests | hadoop.yarn.server.router.webapp.TestFederationWebApp 
|
   
   
   | Subsystem | Report/Notes |
   |----------:|:-------------|
   | Docker | ClientAPI=1.54 ServerAPI=1.54 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8188/3/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/8188 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux 3b9298a0d8ca 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 
20:25:16 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | trunk / a5c431eab35ec1c0c1d98c72e6ea5caf8427b41a |
   | Default Java | Ubuntu-17.0.18+8-Ubuntu-124.04.1 |
   | Multi-JDK versions | 
/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.10+7-Ubuntu-124.04 
/usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.18+8-Ubuntu-124.04.1 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8188/3/testReport/ |
   | Max. process+thread count | 3702 (vs. ulimit of 5500) |
   | modules | C: hadoop-project . U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8188/3/console |
   | versions | git=2.43.0 maven=3.9.11 shellcheck=0.9.0 |
   | Powered by | Apache Yetus 0.14.1 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> Upgrade Netty due to CVE-2025-67735
> -----------------------------------
>
>                 Key: HADOOP-19788
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19788
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Edward Capriolo
>            Assignee: Edward Capriolo
>            Priority: Major
>              Labels: pull-request-available
>
> {code:java}
> //$ find . -name "*.java" | xargs grep HttpRequestEncoder
> ./hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/web/SimpleHttpProxyHandler.java:import
>  io.netty.handler.codec.http.HttpRequestEncoder;
> ./hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/web/SimpleHttpProxyHandler.java:
>           p.addLast(new HttpRequestEncoder());
>  {code}
> [https://nvd.nist.gov/vuln/detail/CVE-2025-67735]
> h3. Description
> Netty is an asynchronous, event-driven network application framework. In 
> versions prior to 4.1.129.Final and 4.2.8.Final, the 
> `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with 
> the request URI when constructing a request. This leads to request smuggling 
> when `HttpRequestEncoder` is used without proper sanitization of the URI. Any 
> application / framework using `HttpRequestEncoder` can be subject to be 
> abused to perform request smuggling using CRLF injection. Versions 
> 4.1.129.Final and 4.2.8.Final fix the issue.
> Netty is constantly getting updated. This seems like a legit reason as any.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (HADOOP-19788) Upgrade Netty due to CVE-2025-67735

Reply via email to