This was discussed relatively recently: https://lists.apache.org/thread.html/680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a@%3Cdev.zookeeper.apache.org%3E
Gist is that while the identified issue didn't affect us directly folks should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version of netty that's no longer supported and too difficult to upgrade. Patrick On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes <tam...@cloudera.com.invalid> wrote: > Hi Daniel, > > I remember that the migration from Netty 3 to 4 wasn't a trivial task, so I > would not expect it in any future ZK 3.4 release. > > But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not > really problematic since they are backward compatible. We have done it for > many Hadoop component, without big code changes (if you use Curator, don't > forget to use 4.2.0+ and exclude it's own beta ZK). > > So the best is to try ZK 3.5.6. > > Regards, Tamaas > > On Sat, Nov 23, 2019, 00:52 Daniel Chan <daniel.cw.c...@oracle.com> wrote: > > > Hi, > > > > From > > https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.4.14 > , > > Zookeeper depends on Netty 3.10.6.Final. > > > > However, Netty has CVEs for versions prior to 4.1.42.Final as per > > https://nvd.nist.gov/vuln/detail/CVE-2019-16869: > > Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP > > headers (such as a "Transfer-Encoding : chunked" line), which leads to > HTTP > > request smuggling. > > > > Will Zookeeper (both client and server) work if we use Netty 4.1.42.Final > > or above instead? > > > > Also what jars are needed for the Zookeeper Client? > > > > Thanks, > > Daniel > > >
