[
https://issues.apache.org/jira/browse/RATIS-2265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17937940#comment-17937940
]
Tsz-wo Sze commented on RATIS-2265:
-----------------------------------
[~tanxinyu], thanks for pointing out the
[CVE-2024-47535|https://nvd.nist.gov/vuln/detail/CVE-2024-47535]! It seems that
the bug was not completely fixed in 4.1.115.Final since
[CVE-2025-25193|https://nvd.nist.gov/vuln/detail/CVE-2025-25193], a similar
issue was previously reported as CVE-2024-47535, was filed.
Only 4.1.118.Final and 4.1.119.Final currently do not have any CVEs.
Let check version details to see which one should we use.
{quote}If we use the latest version of netty and grpc is not compatible, can we
raise an issue with grpc to solve this problem?
{quote}
That's is a good idea! It seems that the gRPC community might have some known
issues to use the latest Netty releases. Otherwise, they probably won't be
stuck to 4.1.110.Final.
> Thirdparty should use the netty version recommended by gRPC
> -----------------------------------------------------------
>
> Key: RATIS-2265
> URL: https://issues.apache.org/jira/browse/RATIS-2265
> Project: Ratis
> Issue Type: Improvement
> Components: thirdparty
> Reporter: Tsz-wo Sze
> Assignee: Tsz-wo Sze
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The mysterious problem reported by HDDS-12103 could be caused by the
> underlying libraries. In this JIRA, we try changing the grpc, netty, protobuf
> versions.
> We should use the netty version recommended by gRPC
> - https://github.com/grpc/grpc-java/blob/master/SECURITY.md#netty
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
