[
https://issues.apache.org/jira/browse/HADOOP-17556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adam Roberts updated HADOOP-17556:
----------------------------------
Description:
Hi everyone, have been raising a few JIRAs recently related to dependencies in
Flink and Hadoop, and for Hadoop I have noticed the following versions of Netty
in use. I'm wondering if we can work to upgrade these (potentially all to the
same version) to remediate any CVEs we have.
Here's what the Twistlock container scan picked up (so, this is Flink with
Hadoop 3.3.1 snapshot, which I've scanned), so any thoughts or upgrade ideas
would be most welcome.
"version": "3.10.6.Final"
"name": "io.netty_netty"
"path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"
"version": "4.1.50.Final"
"name": "io.netty_netty-all"
"path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"
"version": "4.1.42.Final"
"name": "io.netty_netty-codec"
"path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"
The latest 4.1 Netty I see is
{{[https://mvnrepository.com/artifact/io.netty/netty-all/4.1.59.Final]}}
which may help with the above findings (assume things are all compatible!),
thanks
was:
Hi everyone, have been raising a few JIRAs recently related to dependencies in
Flink and Hadoop, and for Hadoop I have noticed the following versions of Netty
in use. I'm wondering if we can work to upgrade these (potentially all to the
same version) to remediate any CVEs we have.
Here's what the Twistlock container scan picked up (so, this is Flink with
Hadoop 3.3.1 snapshot, which I've scanned), so any thoughts or upgrade ideas
would be most welcome!
{{{{ }}{{"version": "3.10.6.Final",}}}}
{{ \{{ "name": "io.netty_netty",}}}}
{{ \{{ "path":
"/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"
},}}}}}}{{{\{ "version": "4.1.50.Final",}}}}
{{ \{{ "name": "io.netty_netty-all",}}}}
{{ \{{ "path":
"/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"},}}}}}}{{{\{
"version": "4.1.42.Final",}}}}
{{ \{{ "name": "io.netty_netty-codec",}}}}
{{ \{{ "path":
"/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar" },}}}}}}
The latest 4.1 Netty I see is
{{[https://mvnrepository.com/artifact/io.netty/netty-all/4.1.59.Final]}}
which may help with the above findings (assume things are all compatible!),
thanks
> Understanding Netty versions and upgrading them (three findings in Hadoop we
> could upgrade?)
> --------------------------------------------------------------------------------------------
>
> Key: HADOOP-17556
> URL: https://issues.apache.org/jira/browse/HADOOP-17556
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Adam Roberts
> Priority: Major
>
> Hi everyone, have been raising a few JIRAs recently related to dependencies
> in Flink and Hadoop, and for Hadoop I have noticed the following versions of
> Netty in use. I'm wondering if we can work to upgrade these (potentially all
> to the same version) to remediate any CVEs we have.
>
> Here's what the Twistlock container scan picked up (so, this is Flink with
> Hadoop 3.3.1 snapshot, which I've scanned), so any thoughts or upgrade ideas
> would be most welcome.
>
> "version": "3.10.6.Final"
> "name": "io.netty_netty"
> "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"
>
> "version": "4.1.50.Final"
> "name": "io.netty_netty-all"
> "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"
>
> "version": "4.1.42.Final"
> "name": "io.netty_netty-codec"
> "path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"
>
> The latest 4.1 Netty I see is
> {{[https://mvnrepository.com/artifact/io.netty/netty-all/4.1.59.Final]}}
>
> which may help with the above findings (assume things are all compatible!),
> thanks
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
