[
https://issues.apache.org/jira/browse/FLUME-3115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16133418#comment-16133418
]
Ferenc Szabo commented on FLUME-3115:
-------------------------------------
netty 3.x.x needed for avro-ipc so we need to have that version untill it is
upgraded. Unfortunately it is part of the public api, so the next opportunity
to upgrade that is the next mayor release. However the latest 3.x.x version
does not have the security vulnerability so the upgrade there is an option.
netty-all 4.x.x is in the hbase-client the latest version of that is also looks
ok in the aspect of security vulnerabilities.
There are some components that use netty 3.x.x and could be updated to
netty-all 4.x.x. I will create JIRA issues to extract them to a single
submodule and refactor them to use netty 4. Until that they can work with the
latest 3.x.x
> Upgrade netty library dependency
> --------------------------------
>
> Key: FLUME-3115
> URL: https://issues.apache.org/jira/browse/FLUME-3115
> Project: Flume
> Issue Type: Bug
> Affects Versions: 1.7.0
> Reporter: Attila Simon
> Assignee: Ferenc Szabo
> Priority: Critical
> Labels: dependency
> Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |io.netty|netty|3.2.2.Final, 3.9.4.Final|4.1.12.Final|
> Note: This artifact was moved to:
> - New Group io.netty
> - New Artifact netty-all
> Security vulnerability: http://www.cvedetails.com/cve/CVE-2014-3488/
> Please do:
> - double check the newest version.
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in
> which case please add this label `breaking_change` and fix version should be
> the next major)
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
