Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17828 )
Change subject: [Java] KUDU-3313 Upgrade netty version from 4.1.60.Final to 4.1.65.Final ...................................................................... Patch Set 1: Code-Review+2 (1 comment) Thank you for the patch! AFAIK Kudu Java client doesn't use HTTP2 from netty by any means (so there isn't any security-related threat w.r.t. CVE-2021-21409), but I guess automated security scanners might be happier with the updated build dependency for the kudu-client package. http://gerrit.cloudera.org:8080/#/c/17828/1//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/17828/1//COMMIT_MSG@7 PS1, Line 7: 4.1.65.Final My initial concern was disabling TLSv1 and TLSv1.1 in netty 4.1.65.Final (see https://netty.io/news/2021/05/19/4-1-65-Final.html). We don't want to cut off older servers running on CentOS6, and by default Kudu RPC allows to use TLSv1 (see https://gerrit.cloudera.org/#/c/17268/ for the context). But after looking at the code I realized that the Kudu Java client doesn't use the netty's TLS/SSL handler, doing all the TLS handshake by itself for Kudu RPC, so no compatibility issues are expected with this upgrade. -- To view, visit http://gerrit.cloudera.org:8080/17828 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ibbbbce745a5f1137c5b1a018bac2d6ffc26699af Gerrit-Change-Number: 17828 Gerrit-PatchSet: 1 Gerrit-Owner: yejiabao <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Bankim Bhavsar <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Tue, 07 Sep 2021 17:21:08 +0000 Gerrit-HasComments: Yes
