On 3/20/21 3:48 AM, Tsz Wo Sze wrote:
In https://issues.apache.org/jira/browse/RATIS-1342 , we have bumped Netty version to 4.1.60.Final in ratis-thirdparty due to the Netty vulnerabilities. - https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 - https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj Should we also have a ratis-thridparty release?
As far as I understood Ratis/Ozone are not affected by these vulnerabilities.
I am +1 to create new ratis-thirdparty release, but IMHO we don't need to cancel the current 2.0.0 vote, we can close it and release the artifacts...
Marton
