[
https://issues.apache.org/jira/browse/KUDU-3581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17850432#comment-17850432
]
ASF subversion and git services commented on KUDU-3581:
-------------------------------------------------------
Commit 500d3d19f15c9c9b0e273adda7ec637dbc45c5c6 in kudu's branch
refs/heads/branch-1.17.x from Alexey Serbin
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=500d3d19f ]
KUDU-3581: upgrade Netty to 4.1.110.Final
Even if Kudu doesn't use anything from Netty at its server side and
is not affected by the HTTP/2 rapid reset issue, it makes sense to
upgrade the Netty package used by the Kudu Java client library
to include the fix for well-known CVE [1]. It would be enough to
upgrade up to 4.1.100.Final, but I took the liberty of upgrading
up to the latest available 4.1.110.Final version.
[1] https://www.cve.org/CVERecord?id=CVE-2023-44487
Change-Id: I6e2ad686374b06d7b8cb28a7a456c21977b95ea8
Reviewed-on: http://gerrit.cloudera.org:8080/21464
Tested-by: Alexey Serbin <[email protected]>
Reviewed-by: Yingchun Lai <[email protected]>
(cherry picked from commit 8d5f82483665fd6229d08fdfe94c87b07f80f986)
Reviewed-on: http://gerrit.cloudera.org:8080/21465
Reviewed-by: Attila Bukor <[email protected]>
> Netty CVE Rapid Reset
> ---------------------
>
> Key: KUDU-3581
> URL: https://issues.apache.org/jira/browse/KUDU-3581
> Project: Kudu
> Issue Type: Task
> Reporter: Colm O hEigeartaigh
> Priority: Minor
>
> The version of Netty in Kudu 1.17.0 (4.1.94.Final -
> [https://github.com/apache/kudu/blob/6d6364d19d287d8effb604b6ab11dfdff5db794e/java/gradle/dependencies.gradle#L52)]
> is vulnerable to a security issue:
> [https://github.com/advisories/GHSA-xpw8-rcwv-8f8p]
> Please upgrade to at least 4.1.100.Final
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
