Backporting Netty 4 would be a huge, cumbersome task, I hope we don’t have to do it.
However I had a quick look at the details of this CVE and it seems to me that it only affects the HTTP codec: https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 Can’t we just say 3.4.14 is not affected? We’re not running HTTP server inside ZooKeeper. Otherwise we might be able to release 3.6.0-alpha1 now, put a date for 3.4 EOL and highlight on the webpage that this CVE probably won’t be resolved on that branch, please upgrade to 3.5. As a third option we could ask Norman to kindly fix 3.10.6.Final as well… or submit a PR ourselves, it doesn’t seem to me a big deal. What do you think? Andor > On 2019. Oct 1., at 2:00, Patrick Hunt <[email protected]> wrote: > > I pushed patches for 3.5 and trunk and the tests passed on my mac. However > 3.4 is using netty 3.10.6.Final and as such it's not a simple upgrade. > (there are no fixes against 3.10 for this CVE, at least not so far) Not > sure what we want to do about this... someone would need to backport the > netty 4.1 changes into 3.4 afaict. > > Patrick > > On Mon, Sep 30, 2019 at 1:08 PM Patrick Hunt <[email protected]> wrote: > >> I'll work on it today. >> >> Patrick >> >> On Mon, Sep 30, 2019 at 11:59 AM Enrico Olivelli <[email protected]> >> wrote: >> >>> Okay >>> >>> I am cancelling the release. >>> >>> I have a problem with my box, I can't work on netty upgrade. >>> >>> Any volounteer? >>> >>> Enrico >>> >>> Il lun 30 set 2019, 20:32 Andor Molnar <[email protected]> ha scritto: >>> >>>> The good news is: we need to release 3.4.15 too. :) >>>> >>>> Andor >>>> >>>> >>>> >>>>> On 2019. Sep 30., at 20:26, Patrick Hunt <[email protected]> wrote: >>>>> >>>>> created: https://issues.apache.org/jira/browse/ZOOKEEPER-3563 >>>>> >>>>> On Mon, Sep 30, 2019 at 11:20 AM Patrick Hunt <[email protected]> >>> wrote: >>>>> >>>>>> -1 - when I run dependency check on the release candidate artifact >>> it's >>>>>> failing with: >>>>>> >>>>>> [ERROR] netty-transport-4.1.29.Final.jar: CVE-2019-16869 >>>>>> >>>>>> I ran this on trunk and it's passing, as such it must be an issue >>> with >>>> the >>>>>> the 3.5.6 netty version specifically. It's listed as a high, we >>> should >>>>>> patch this as well before releasing. >>>>>> >>>>>> Patrick >>>>>> >>>>>> >>>>>> On Sun, Sep 29, 2019 at 7:29 AM Enrico Olivelli <[email protected] >>>> >>>>>> wrote: >>>>>> >>>>>>> This is a bugfix release candidate for 3.5.6. >>>>>>> >>>>>>> It fixes 28 issues, including upgrade of third party libraries, >>>>>>> TTL Node APIs for C API, support for PCKS12 Keystores, and better >>>>>>> procedure >>>>>>> for the upgrade of servers from 3.4 to 3.5. >>>>>>> >>>>>>> The full release notes is available at: >>>>>>> >>>>>>> >>>>>>> >>>> >>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243 >>>>>>> >>>>>>> *** Please download, test and vote by October 2nd 2019, 23:59 UTC+0. >>>> *** >>>>>>> >>>>>>> Source files: >>>>>>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-2 >>>>>>> >>>>>>> Maven staging repo: >>>>>>> >>>>>>> >>>> >>> https://repository.apache.org/content/repositories/orgapachezookeeper-1042/ >>>>>>> >>>>>>> The release candidate tag in git to be voted upon: release-3.5.6-rc2 >>>>>>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc2 >>>>>>> >>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the >>> release: >>>>>>> https://www.apache.org/dist/zookeeper/KEYS >>>>>>> >>>>>>> Should we release this candidate? >>>>>>> Enrico Olivelli >>>>>>> >>>>>> >>>> >>>> >>> >>
