Hey. On Sun, 2021-06-27 at 14:46 +0200, Salvatore Bonaccorso wrote: > To me this looks like CVEs in other products, but which zookeeper > uses > as dependency? Is this correct?
Indeed, but I couldn't find that the zookeeper package depends on these while it does contain: zookeeper-3.4.13/src$ find . -iname "*nett*" ./java/main/org/apache/zookeeper/server/NettyServerCnxnFactory.java ./java/main/org/apache/zookeeper/server/NettyServerCnxn.java ./java/test/org/apache/zookeeper/server/NettyServerCnxnTest.java ./java/test/org/apache/zookeeper/test/NioNettySuiteTest.java ./java/test/org/apache/zookeeper/test/NioNettySuiteHammerTest.java ./java/test/org/apache/zookeeper/test/NioNettySuiteBase.java ... so I figured these might still be affected? And apart from that... if they apparently don't support older versions anymore, we'd like not even notice should these contain any security issues. Cheers, Chris.