Unsubscribe On Wed, Jun 15, 2016 at 10:40 AM, Michael Han <[email protected]> wrote:
> I also think we might eventually want upgrade to Netty 4.x (unless there is > a reason not to) to get benefits of bug fixes / features not available in > 3.x, but there is no immediate needs to upgrade to Netty 4.x for security > reasons as all known security issues should be addressed by Netty 3.10.5. > Upgrade to 4.x is not as trivial as upgrade to 3.10.5 as more code changes > and testing would be involved as described in ZOOKEEPER-2399. > > On Tue, Jun 14, 2016 at 9:16 PM, Patrick Hunt <[email protected]> wrote: > > > Pallavi do you have any insight into this? Michael? Are we ok with 3.x > > netty or is there some security related fix we are missing that would > > require 3.4 to upgrade to 4.x? > > > > Patrick > > > > On Wed, Jun 8, 2016 at 8:31 AM, Raúl Gutiérrez Segalés < > > [email protected]> > > wrote: > > > > > On 7 June 2016 at 18:48, Patrick Hunt <[email protected]> wrote: > > > > > > > There is a jira for this already. Someone want to drive this one? > > > > > > > > https://issues.apache.org/jira/browse/ZOOKEEPER-2399 > > > > > > > > > So are we good in the 3.4 branch after: > > > > > > > > > > > > https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8 > > > > > > or would we still need to backup netty 4.x support to that branch > > > (eventually)? > > > > > > > > > -rgs > > > > > > > > > > > > > > > > > > > > > Patrick > > > > > > > > On Mon, Jun 6, 2016 at 1:51 PM, Michael Han <[email protected]> > wrote: > > > > > > > > > FYI branch 3.4 was recently patched with Netty 3.10 to address some > > of > > > > the > > > > > security concerns as described in ZOOKEEPER-2423: Upgrade Netty > > version > > > > due > > > > > to security vulnerability. > > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/apache/zookeeper/commit/f0a49567d545bd6584cb8ece2d491dc6c65174f8 > > > > > > > > > > > > > > > > > > > > > > > > > On Mon, Jun 6, 2016 at 1:38 PM, Hegde, Pallavi < > > [email protected]> > > > > > wrote: > > > > > > > > > > > Hello, > > > > > > We are currently facing some security issues with Zookeeper > version > > > > 3.4.7 > > > > > > & 3.4.8, since its bundled with very old version of Netty:jar, > > > version > > > > > > 3.7.0. > > > > > > Could you address this issue in future Zookeeper releases by > > > packaging > > > > it > > > > > > with Netty.jar-4.0.27, or higher version of Netty:jar? I am sure > > this > > > > > will > > > > > > help many other issues including security violations. > > > > > > > > > > > > Thanks > > > > > > Pallavi > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Cheers > > > > > Michael. > > > > > > > > > > > > > > > > > > -- > Cheers > Michael. >
