On 7 June 2016 at 18:48, Patrick Hunt <[email protected]> wrote: > There is a jira for this already. Someone want to drive this one? > > https://issues.apache.org/jira/browse/ZOOKEEPER-2399
So are we good in the 3.4 branch after: https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8 or would we still need to backup netty 4.x support to that branch (eventually)? -rgs > > > Patrick > > On Mon, Jun 6, 2016 at 1:51 PM, Michael Han <[email protected]> wrote: > > > FYI branch 3.4 was recently patched with Netty 3.10 to address some of > the > > security concerns as described in ZOOKEEPER-2423: Upgrade Netty version > due > > to security vulnerability. > > > > > > > https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8 > > > > > > > > > > On Mon, Jun 6, 2016 at 1:38 PM, Hegde, Pallavi <[email protected]> > > wrote: > > > > > Hello, > > > We are currently facing some security issues with Zookeeper version > 3.4.7 > > > & 3.4.8, since its bundled with very old version of Netty:jar, version > > > 3.7.0. > > > Could you address this issue in future Zookeeper releases by packaging > it > > > with Netty.jar-4.0.27, or higher version of Netty:jar? I am sure this > > will > > > help many other issues including security violations. > > > > > > Thanks > > > Pallavi > > > > > > > > > > > > -- > > Cheers > > Michael. > > >
