rymarm opened a new pull request #2185: URL: https://github.com/apache/drill/pull/2185
# [DRILL-7790](https://issues.apache.org/jira/browse/DRILL-7790): Build Drill with Netty version 4.1.50.Final `Netty` of version `4.0.48.Final` has vulnerabilities as CVE-2019-16869, CVE-2014-3488 and other. I want to update to the last available, stable version of `Netty` `4.1.59.Final`. `ChannelPromise` and `ChannelFuture` were replaced with `DefaultPromise` and `Future` according. It was done in response to changes in https://github.com/netty/netty/commit/1740f366eb728ea5a0a63d18e9042161673414cd . `ChannelPromise` and `ChannelFuture` are wrong used and netty's changes are predict it. Other one breaking `Netty` change is https://github.com/netty/netty/commit/39cc7a673939dec96258ff27f5b1874671838af0 . In Drill we have `ByteBuffAlocater` which doesn't support heap buffers. But in the netty's commit was changed internal behavior in `SslHandler`. Previously, regardless to chosen ssl engine, were using only `directBuffer()` or `buffer()`, which in our case both lid to the same - `directBuffer`. But now, behavior was changed and for JDK ssl engine is always used `heapBuffer()` which is not supported in Drill. So, I'm not sure, how to resolve this issue. In this PR I propose to use `directBuffer()` under `heapBuffer()`, but it is not the best solution. Maybe, someone from Drill community know a better solution? ## Documentation No user visible changes ## Testing Unit tests ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
