[
https://issues.apache.org/jira/browse/KUDU-3492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17745943#comment-17745943
]
ASF subversion and git services commented on KUDU-3492:
-------------------------------------------------------
Commit 948517219a2ac860d8b0a7884b96da2f9268fe89 in kudu's branch
refs/heads/branch-1.16.x from Alexey Serbin
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=948517219 ]
KUDU-3492 upgrade Netty to 4.1.98.Final
This is to address a couple of vulnerabilities reported in Netty
4.1.94.Final [1][2].
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-41881
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-34462
Change-Id: I20c5c1d9260b1089cc2713fcf8559eb80c2c67c4
Reviewed-on: http://gerrit.cloudera.org:8080/20236
Tested-by: Alexey Serbin <ale...@apache.org>
Reviewed-by: Yifan Zhang <chinazhangyi...@163.com>
(cherry picked from commit b7b9c058c877092c8168fae9316d69554b5499b9)
Conflicts:
java/gradle/dependencies.gradle
Reviewed-on: http://gerrit.cloudera.org:8080/20243
Reviewed-by: Yingchun Lai <laiyingc...@apache.org>
Tested-by: Yingchun Lai <laiyingc...@apache.org>
> Netty CVE CVE-2023-34462
> ------------------------
>
> Key: KUDU-3492
> URL: https://issues.apache.org/jira/browse/KUDU-3492
> Project: Kudu
> Issue Type: Bug
> Affects Versions: 1.16.0
> Reporter: Colm O hEigeartaigh
> Priority: Major
> Fix For: 1.17.0, 1.16.1
>
>
> Netty was upgraded to 4.1.84.Final
> ([https://github.com/apache/kudu/commit/892bda293f238fddec47423d5c0b5be9576581f1)]
> but this still has known CVEs:
> * CVE-2022-41881 (fixed in 4.1.86.Final)
> * CVE-2023-34462 (fixed in 4.1.94.Final)
> Please update to at least 4.1.94.Final.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
