[
https://issues.apache.org/jira/browse/ZOOKEEPER-2450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Han resolved ZOOKEEPER-2450.
------------------------------------
Resolution: Fixed
Patch was committed as part of ZOOKEEPER-2423:
http://svn.apache.org/viewvc?view=revision&revision=1742474
http://svn.apache.org/viewvc?view=revision&revision=1742473
Close as resolved.
> Upgrade Netty version due to security vulnerability (CVE-2014-3488)
> -------------------------------------------------------------------
>
> Key: ZOOKEEPER-2450
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2450
> Project: ZooKeeper
> Issue Type: Bug
> Components: security, server
> Affects Versions: 3.4.8, 3.5.1, 3.6.0
> Reporter: Michael Han
> Assignee: Michael Han
> Priority: Critical
> Fix For: 3.4.9, 3.5.2, 3.6.0
>
>
> This JIRA recreates ZOOKEEPER-2432 which was deleted as the collateral damage
> during the spamming fighting effort Apache Infrastructure Team did weeks ago.
> Recreate the JIRA for the record so external documentations can link back to
> this JIRA.
> The SslHandler in Netty before 3.9.2 allows remote attackers to cause a
> denial of service (infinite loop and CPU consumption) via a crafted
> SSLv2Hello message [1]. We are using netty 3.7.x in ZK for 3.4/3.5/3.6, which
> is affected by this vulnerability.
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3488
> [2] http://netty.io/news/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
