[
https://issues.apache.org/jira/browse/DRILL-7790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17294630#comment-17294630
]
ASF GitHub Bot commented on DRILL-7790:
---------------------------------------
rymarm opened a new pull request #2185:
URL: https://github.com/apache/drill/pull/2185
# [DRILL-7790](https://issues.apache.org/jira/browse/DRILL-7790): Build
Drill with Netty version 4.1.50.Final
`Netty` of version `4.0.48.Final` has vulnerabilities as CVE-2019-16869,
CVE-2014-3488 and other. I want to update to the last available, stable version
of `Netty` `4.1.59.Final`.
`ChannelPromise` and `ChannelFuture` were replaced with `DefaultPromise` and
`Future` according. It was done in response to changes in
https://github.com/netty/netty/commit/1740f366eb728ea5a0a63d18e9042161673414cd
. `ChannelPromise` and `ChannelFuture` are wrong used and netty's changes are
predict it.
Other one breaking `Netty` change is
https://github.com/netty/netty/commit/39cc7a673939dec96258ff27f5b1874671838af0
. In Drill we have `ByteBuffAlocater` which doesn't support heap buffers. But
in the netty's commit was changed internal behavior in `SslHandler`.
Previously, regardless to chosen ssl engine, were using only `directBuffer()`
or `buffer()`, which in our case both lid to the same - `directBuffer`. But
now, behavior was changed and for JDK ssl engine is always used `heapBuffer()`
which is not supported in Drill. So, I'm not sure, how to resolve this issue.
In this PR I propose to use `directBuffer()` under `heapBuffer()`, but it is
not the best solution. Maybe, someone from Drill community know a better
solution?
## Documentation
No user visible changes
## Testing
Unit tests
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Build Drill with Netty version 4.1.50.Final
> -------------------------------------------
>
> Key: DRILL-7790
> URL: https://issues.apache.org/jira/browse/DRILL-7790
> Project: Apache Drill
> Issue Type: Bug
> Affects Versions: 1.17.0
> Reporter: alka kumari
> Priority: Major
>
> Hi,
>
> In apache Drill Client 1.17, Netty version 4.0.48.Final is being used and it
> suffers from vulnerability (CVE-2019-16869):
> https://www.cvedetails.com/cve/CVE-2019-16869/
> https://snyk.io/vuln/maven:io.netty%3Anetty-all
>
> This has been fixed in the latest netty (4.1.50.Final).
>
> We want to build a drill with the latest Netty version that is free from any
> vulnerabilities.
>
> As there are many breaking changes from 4.0.48 to 4.1.50, I have modified the
> code accordingly.
>
> I noticed that after trying to upgrade the dependency, I was unable to
> connect with SSL enabled.
>
> ERROR:
> Connecting to the server timed out. This is sometimes due to a mismatch in
> the SSL configuration between client and server. [ Exception: Waited 10000
> milliseconds for
> org.apache.drill.shaded.guava.com.google.common.util.concurrent.SettableFuture@6ea2bc93[status=PENDING]].
>
>
> I have created a pull request containing the changes which I have tried to
> make.
>
> Could someone please advise further on what needs to be changed?
>
> Regards,
> Alka
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
