[jira] [Comment Edited] (ZOOKEEPER-4462) Upgrade Netty TCNative to 2.0.48

Mon, 25 Apr 2022 22:01:07 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17527435#comment-17527435
 ] 

Ananya Singh edited comment on ZOOKEEPER-4462 at 4/26/22 5:00 AM:
------------------------------------------------------------------

Hi, getting the same CVEs after including this upgrade also. Seems the CVEs 
generated were due to dependency of io.netty:netty-codec:jar:4.1.73.Final on 
io.netty:netty-tcnative-classes:jar:2.0.46.Final.

 

Upgrading the netty to 4.1.75 and reverting the netty-tcnative upgrade should 
resolve these CVEs.

Raised Jira and PR for the same:

https://issues.apache.org/jira/browse/ZOOKEEPER-4529

[https://github.com/apache/zookeeper/pull/1867]


was (Author: ananysin):
Hi, getting the same CVEs after including this upgrade also. Seems the CVEs 
generated were due to dependency of io.netty:netty-codec:jar:4.1.73.Final on 
io.netty:netty-tcnative-classes:jar:2.0.46.Final.

 

Upgrading the netty to 4.1.75 should resolve these CVEs.

Raised Jira and PR for the same:

https://issues.apache.org/jira/browse/ZOOKEEPER-4529

https://github.com/apache/zookeeper/pull/1867

> Upgrade Netty TCNative to 2.0.48
> --------------------------------
>
>                 Key: ZOOKEEPER-4462
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4462
>             Project: ZooKeeper
>          Issue Type: Improvement
>            Reporter: Enrico Olivelli
>            Assignee: Enrico Olivelli
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.8.0, 3.7.1, 3.6.4
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> The OWASP checker fails m we should upgrade to the latest version
> [|https://ci-hadoop.apache.org/blue/organizations/jenkins/zookeeper-multi-branch-owasp/detail/master/162/pipeline#step-35-log-562]
> {code:java}
> [2022-01-28T09:07:39.858Z] One or more dependencies were identified with 
> known vulnerabilities in Apache ZooKeeper - Server: 
> [2022-01-28T09:07:39.859Z] netty-tcnative-classes-2.0.46.Final.jar 
> (pkg:maven/io.netty/netty-tcnative-classes@2.0.46.Final, 
> cpe:2.3:a:netty:netty:2.0.46:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, 
> CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, 
> CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137, 
> CVE-2021-43797{code}
>  
>  
> [|https://ci-hadoop.apache.org/blue/organizations/jenkins/zookeeper-multi-branch-owasp/detail/master/162/pipeline#step-35-log-565][2022-01-28T09:07:39.859Z]
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to