[
https://issues.apache.org/jira/browse/ZOOKEEPER-2423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15273152#comment-15273152
]
Michael Han commented on ZOOKEEPER-2423:
----------------------------------------
Thanks [~phunt] for the kind reminder and fix.
> Upgrade Netty version due to security vulnerability (CVE-2014-3488)
> -------------------------------------------------------------------
>
> Key: ZOOKEEPER-2423
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2423
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.8, 3.5.1, 3.6.0
> Reporter: Michael Han
> Assignee: Michael Han
> Priority: Critical
> Labels: security
> Fix For: 3.4.9, 3.5.2, 3.6.0
>
> Attachments: ZOOKEEPER-2423-br34.patch, ZOOKEEPER-2423.patch
>
>
> The SslHandler in Netty before 3.9.2 allows remote attackers to cause a
> denial of service (infinite loop and CPU consumption) via a crafted
> SSLv2Hello message [1]. We are using netty 3.7.x in ZK for 3.4/3.5/3.6, which
> is affected by this vulnerability.
> We should upgrade Netty version to a later version that fixed this issue. I
> am leaning towards to upgrade Netty version to 3.10.5 [2], which is the
> latest release of the major version (3) that ZK 3.4/5/6 is using. Thoughts on
> which Netty version we should upgrade to?
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3488
> [2] http://netty.io/news/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
