[
https://issues.apache.org/jira/browse/FLUME-3386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17488624#comment-17488624
]
Lily Warner commented on FLUME-3386:
------------------------------------
[~rgoers] I ran mvn dependency:tree and found netty 3.6.2.Final as follows
(unrelated jars excluded):
[*INFO*] org.apache.flume.flume-ng-sinks:flume-hdfs-sink:jar:1.10.0-SNAPSHOT
[*INFO*] +- org.apache.hadoop:hadoop-hdfs:jar:2.9.0:compile (optional)
[*INFO*] | +- io.netty:netty:jar:3.6.2.Final:compile
It seems that the netty version is a transitive dependency of hadoop, but since
that dependency is optional it is possible to avoid the old version of netty.
So we may be good here.
Thank you for the work you've already done to upgrade from Netty 3 to 4 :)
> flume-ng-sdk uses vulnerable version of netty
> ---------------------------------------------
>
> Key: FLUME-3386
> URL: https://issues.apache.org/jira/browse/FLUME-3386
> Project: Flume
> Issue Type: Dependency upgrade
> Affects Versions: 1.9.0
> Reporter: Lily Warner
> Priority: Major
>
> Vulnerabilities:
> * [https://nvd.nist.gov/vuln/detail/CVE-2019-16869]
> * [https://nvd.nist.gov/vuln/detail/CVE-2019-20444]
> * [https://nvd.nist.gov/vuln/detail/CVE-2019-20445]
> * sonatype-2020-0103
> * sonatype-2020-0029
> Version to migrate to: 4.1.59 or above
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
