I also think we might eventually want upgrade to Netty 4.x (unless there is a reason not to) to get benefits of bug fixes / features not available in 3.x, but there is no immediate needs to upgrade to Netty 4.x for security reasons as all known security issues should be addressed by Netty 3.10.5. Upgrade to 4.x is not as trivial as upgrade to 3.10.5 as more code changes and testing would be involved as described in ZOOKEEPER-2399.
On Tue, Jun 14, 2016 at 9:16 PM, Patrick Hunt <[email protected]> wrote: > Pallavi do you have any insight into this? Michael? Are we ok with 3.x > netty or is there some security related fix we are missing that would > require 3.4 to upgrade to 4.x? > > Patrick > > On Wed, Jun 8, 2016 at 8:31 AM, Raúl Gutiérrez Segalés < > [email protected]> > wrote: > > > On 7 June 2016 at 18:48, Patrick Hunt <[email protected]> wrote: > > > > > There is a jira for this already. Someone want to drive this one? > > > > > > https://issues.apache.org/jira/browse/ZOOKEEPER-2399 > > > > > > So are we good in the 3.4 branch after: > > > > > > > https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8 > > > > or would we still need to backup netty 4.x support to that branch > > (eventually)? > > > > > > -rgs > > > > > > > > > > > > > > > Patrick > > > > > > On Mon, Jun 6, 2016 at 1:51 PM, Michael Han <[email protected]> wrote: > > > > > > > FYI branch 3.4 was recently patched with Netty 3.10 to address some > of > > > the > > > > security concerns as described in ZOOKEEPER-2423: Upgrade Netty > version > > > due > > > > to security vulnerability. > > > > > > > > > > > > > > > > > > https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8 > > > > > > > > > > > > > > > > > > > > On Mon, Jun 6, 2016 at 1:38 PM, Hegde, Pallavi < > [email protected]> > > > > wrote: > > > > > > > > > Hello, > > > > > We are currently facing some security issues with Zookeeper version > > > 3.4.7 > > > > > & 3.4.8, since its bundled with very old version of Netty:jar, > > version > > > > > 3.7.0. > > > > > Could you address this issue in future Zookeeper releases by > > packaging > > > it > > > > > with Netty.jar-4.0.27, or higher version of Netty:jar? I am sure > this > > > > will > > > > > help many other issues including security violations. > > > > > > > > > > Thanks > > > > > Pallavi > > > > > > > > > > > > > > > > > > > > > > -- > > > > Cheers > > > > Michael. > > > > > > > > > > -- Cheers Michael.
