[
https://issues.apache.org/jira/browse/ZOOKEEPER-4755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774022#comment-17774022
]
Hans Aikema commented on ZOOKEEPER-4755:
[~ztzg] I think the more proper approach would be to assess whether mitigation
for the issue (TLS hostname verification off-by-default) is mitigated in the
Zookeeper codebase and then add the suppression with a comment that indicates
the assessment has been done and validated that for the Zookeeper case the
insecure default is mitigated. The items you already linked provide links
towards the Netty issue at the root of it, where the comments clearly indicate
that as long as you ensure to switch on the hostname verification yourself in
code the issue is resolved.
> Handle Netty CVE-2023-4586
> --
>
> Key: ZOOKEEPER-4755
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4755
> Project: ZooKeeper
> Issue Type: Task
>Reporter: Damien Diederen
>Assignee: Damien Diederen
>Priority: Major
> Labels: pull-request-available
> Fix For: 3.7.2, 3.8.3, 3.9.1
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The {{dependency-check:check}}... check currently fails with the following:
> {noformat}
> [ERROR] netty-handler-4.1.94.Final.jar: CVE-2023-4586(6.5)
> {noformat}
> According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4586 ,
> CVE-2023-4586 is reserved. No fix or additional information is available as
> of the creation of this ticket.
> We have to:
> # Temporarily suppress the check;
> # Monitor CVE-2023-4586 and apply the remediation as soon as it becomes
> available.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)