[
https://issues.apache.org/jira/browse/KUDU-3313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17411375#comment-17411375
]
ASF subversion and git services commented on KUDU-3313:
-------------------------------------------------------
Commit a9850d7dbbc3ff85d981eb8be6e29220aba4161e in kudu's branch
refs/heads/master from yejiabao
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=a9850d7 ]
[Java] KUDU-3313 Upgrade netty version from 4.1.60.Final to 4.1.65.Final
Change-Id: Ibbbbce745a5f1137c5b1a018bac2d6ffc26699af
Reviewed-on: http://gerrit.cloudera.org:8080/17828
Tested-by: Kudu Jenkins
Reviewed-by: Bankim Bhavsar <ban...@cloudera.com>
Reviewed-by: Alexey Serbin <aser...@cloudera.com>
> There is a CVE-2021-21409 vulnerability in netty version 4.1.60
> ---------------------------------------------------------------
>
> Key: KUDU-3313
> URL: https://issues.apache.org/jira/browse/KUDU-3313
> Project: Kudu
> Issue Type: Bug
> Reporter: yejiabao_h
> Priority: Minor
>
> In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a
> vulnerability that enables request smuggling. The content-length header is
> not correctly validated if the request only uses a single Http2HeaderFrame
> with the endStream set to to true. This could lead to request smuggling if
> the request is proxied to a remote peer and translated to HTTP/1.1. This is a
> followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one
> case. This was fixed as part of 4.1.61.Final.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
