This is an automated email from the ASF dual-hosted git repository.
lidavidm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow.git
The following commit(s) were added to refs/heads/main by this push:
new ea4f03ac16 GH-36209: [Java] Upgrade Netty due to security
vulnerability (#36211)
ea4f03ac16 is described below
commit ea4f03ac166e3961b59f29f60dcd160fbed29894
Author: Bryan Cutler <[email protected]>
AuthorDate: Wed Jun 21 12:22:38 2023 -0700
GH-36209: [Java] Upgrade Netty due to security vulnerability (#36211)
### Rationale for this change
Upgrading Netty dependency due to CVE
https://github.com/advisories/GHSA-6mjq-h674-j845
This also requires a patch to arrow-memory
### What changes are included in this PR?
Upgrading Netty, gRPC and Protobuf dependencies
### Are these changes tested?
Existing tests
### Are there any user-facing changes?
No
**This PR contains a "Critical Fix".**
netty-handler SniHandler 16MB allocation
The SniHandler can allocate up to 16MB of heap for each channel during the
TLS handshake. When the handler or the channel does not have an idle timeout,
it can be used to make a TCP server using the SniHandler to allocate 16MB of
heap.
https://github.com/advisories/GHSA-6mjq-h674-j845
* Closes: #36209
Authored-by: Bryan Cutler <[email protected]>
Signed-off-by: David Li <[email protected]>
---
.../src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java | 2 +-
java/pom.xml | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git
a/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
b/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
index fc6fc5d2b6..74b7a8530c 100644
---
a/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
+++
b/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
@@ -161,7 +161,7 @@ public class PooledByteBufAllocatorL {
}
private UnsafeDirectLittleEndian newDirectBufferL(int initialCapacity, int
maxCapacity) {
- PoolThreadCache cache = threadCache();
+ PoolArenasCache cache = threadCache();
PoolArena<ByteBuffer> directArena = cache.directArena;
if (directArena != null) {
diff --git a/java/pom.xml b/java/pom.xml
index ce393fed87..ccb2a2b72d 100644
--- a/java/pom.xml
+++ b/java/pom.xml
@@ -33,9 +33,9 @@
<dep.junit.jupiter.version>5.9.0</dep.junit.jupiter.version>
<dep.slf4j.version>1.7.25</dep.slf4j.version>
<dep.guava-bom.version>31.1-jre</dep.guava-bom.version>
- <dep.netty-bom.version>4.1.82.Final</dep.netty-bom.version>
- <dep.grpc-bom.version>1.49.1</dep.grpc-bom.version>
- <dep.protobuf-bom.version>3.21.6</dep.protobuf-bom.version>
+ <dep.netty-bom.version>4.1.94.Final</dep.netty-bom.version>
+ <dep.grpc-bom.version>1.56.0</dep.grpc-bom.version>
+ <dep.protobuf-bom.version>3.23.1</dep.protobuf-bom.version>
<dep.jackson-bom.version>2.15.1</dep.jackson-bom.version>
<dep.hadoop.version>2.7.1</dep.hadoop.version>
<dep.fbs.version>1.12.0</dep.fbs.version>
