[ https://issues.apache.org/jira/browse/KUDU-3313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17411375#comment-17411375 ]
ASF subversion and git services commented on KUDU-3313: ------------------------------------------------------- Commit a9850d7dbbc3ff85d981eb8be6e29220aba4161e in kudu's branch refs/heads/master from yejiabao [ https://gitbox.apache.org/repos/asf?p=kudu.git;h=a9850d7 ] [Java] KUDU-3313 Upgrade netty version from 4.1.60.Final to 4.1.65.Final Change-Id: Ibbbbce745a5f1137c5b1a018bac2d6ffc26699af Reviewed-on: http://gerrit.cloudera.org:8080/17828 Tested-by: Kudu Jenkins Reviewed-by: Bankim Bhavsar <ban...@cloudera.com> Reviewed-by: Alexey Serbin <aser...@cloudera.com> > There is a CVE-2021-21409 vulnerability in netty version 4.1.60 > --------------------------------------------------------------- > > Key: KUDU-3313 > URL: https://issues.apache.org/jira/browse/KUDU-3313 > Project: Kudu > Issue Type: Bug > Reporter: yejiabao_h > Priority: Minor > > In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a > vulnerability that enables request smuggling. The content-length header is > not correctly validated if the request only uses a single Http2HeaderFrame > with the endStream set to to true. This could lead to request smuggling if > the request is proxied to a remote peer and translated to HTTP/1.1. This is a > followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one > case. This was fixed as part of 4.1.61.Final. -- This message was sent by Atlassian Jira (v8.3.4#803005)