Michael Han created ZOOKEEPER-2450:
--------------------------------------
Summary: Upgrade Netty version due to security vulnerability
(CVE-2014-3488)
Key: ZOOKEEPER-2450
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2450
Project: ZooKeeper
Issue Type: Bug
Components: security, server
Affects Versions: 3.5.1, 3.4.8, 3.6.0
Reporter: Michael Han
Assignee: Michael Han
Priority: Critical
Fix For: 3.4.9, 3.5.2, 3.6.0
This JIRA recreates ZOOKEEPER-2432 which was deleted as the collateral damage
during the spamming fighting effort Apache Infrastructure Team did weeks ago.
Recreate the JIRA for the record so external documentations can link back to
this JIRA.
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial
of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message
[1]. We are using netty 3.7.x in ZK for 3.4/3.5/3.6, which is affected by this
vulnerability.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3488
[2] http://netty.io/news/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
