[
https://issues.apache.org/jira/browse/ZOOKEEPER-3794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Enrico Olivelli resolved ZOOKEEPER-3794.
----------------------------------------
Fix Version/s: 3.5.8
3.6.1
3.7.0
Resolution: Fixed
Committed to branch-3.5, branch-3.6, release-3.6.1 and master (3.7)
thank you [~phunt]
> upgrade netty to address CVE-2020-11612
> ---------------------------------------
>
> Key: ZOOKEEPER-3794
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3794
> Project: ZooKeeper
> Issue Type: Task
> Components: security
> Reporter: Patrick D. Hunt
> Assignee: Patrick D. Hunt
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 3.7.0, 3.6.1, 3.5.8
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The owasp checker is failing with the following. I looked and seems like a
> DOS attack vector "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for
> unbounded memory allocation while decoding a ZlibEncoded byte stream. An
> attacker could send a large ZlibEncoded byte stream to the Netty server,
> forcing the server to allocate all of its free memory to a single decoder."
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check
> (default-cli) on project zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] netty-handler-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-common-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-buffer-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-transport-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-resolver-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-codec-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-transport-native-epoll-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-transport-native-unix-common-4.1.45.Final.jar: CVE-2020-11612
> [ERROR]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
