[jira] [Commented] (DRILL-7790) Build Drill with Netty version 4.1.50.Final

Tue, 20 Oct 2020 04:11:00 -0700 


    [ 
https://issues.apache.org/jira/browse/DRILL-7790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17217522#comment-17217522
 ] 

ASF GitHub Bot commented on DRILL-7790:
---------------------------------------

alkakumari42 commented on pull request #2105:
URL: https://github.com/apache/drill/pull/2105#issuecomment-712774511


   > @alkakumari42
   > There are still branch conflicts. Can you please take a look?
   > Thanks!
   
   Hi @cgivre ,
   
   Please note that the changelist I have added is currently not with the 
intent of merging, but rather as a frame of reference. The actual issue is that 
the up-gradation which I tried did not seem to work, so was wondering if 
someone from the open-source community could provide some assistance by looking 
at the changelist, or, just generally suggesting what needs to be done in order 
to upgrade netty, since the one being used contains vulnerabilities.
   
   Regards,
   Alka


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


> Build Drill with Netty version 4.1.50.Final
> -------------------------------------------
>
>                 Key: DRILL-7790
>                 URL: https://issues.apache.org/jira/browse/DRILL-7790
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.17.0
>            Reporter: alka kumari
>            Priority: Major
>
> Hi,
>  
> In apache Drill Client 1.17, Netty version 4.0.48.Final is being used and it 
> suffers from vulnerability (CVE-2019-16869):
>  https://www.cvedetails.com/cve/CVE-2019-16869/
>  https://snyk.io/vuln/maven:io.netty%3Anetty-all
>  
> This has been fixed in the latest netty (4.1.50.Final).
>  
> We want to build a drill with the latest Netty version that is free from any 
> vulnerabilities. 
>  
> As there are many breaking changes from 4.0.48 to 4.1.50, I have modified the 
> code accordingly. 
>  
> I noticed that after trying to upgrade the dependency, I was unable to 
> connect with SSL enabled.
>   
>  ERROR:
>  Connecting to the server timed out. This is sometimes due to a mismatch in 
> the SSL configuration between client and server. [ Exception: Waited 10000 
> milliseconds for 
> org.apache.drill.shaded.guava.com.google.common.util.concurrent.SettableFuture@6ea2bc93[status=PENDING]].
>   
>  
> I have created a pull request containing the changes which I have tried to 
> make.
>  
> Could someone please advise further on what needs to be changed?
>  
> Regards,
>  Alka



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to