[
https://issues.apache.org/jira/browse/ZOOKEEPER-2423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15273228#comment-15273228
]
Hudson commented on ZOOKEEPER-2423:
-----------------------------------
SUCCESS: Integrated in ZooKeeper-trunk #2913 (See
[https://builds.apache.org/job/ZooKeeper-trunk/2913/])
ZOOKEEPER-2423: Upgrade Netty version due to security vulnerability
(CVE-2014-3488) (Michael Han via phunt) (phunt:
[http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1742472])
* trunk/CHANGES.txt
* trunk/ivy.xml
> Upgrade Netty version due to security vulnerability (CVE-2014-3488)
> -------------------------------------------------------------------
>
> Key: ZOOKEEPER-2423
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2423
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.8, 3.5.1, 3.6.0
> Reporter: Michael Han
> Assignee: Michael Han
> Priority: Critical
> Labels: security
> Fix For: 3.4.9, 3.5.2, 3.6.0
>
> Attachments: ZOOKEEPER-2423-br34.patch, ZOOKEEPER-2423.patch
>
>
> The SslHandler in Netty before 3.9.2 allows remote attackers to cause a
> denial of service (infinite loop and CPU consumption) via a crafted
> SSLv2Hello message [1]. We are using netty 3.7.x in ZK for 3.4/3.5/3.6, which
> is affected by this vulnerability.
> We should upgrade Netty version to a later version that fixed this issue. I
> am leaning towards to upgrade Netty version to 3.10.5 [2], which is the
> latest release of the major version (3) that ZK 3.4/5/6 is using. Thoughts on
> which Netty version we should upgrade to?
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3488
> [2] http://netty.io/news/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
