[
https://issues.apache.org/jira/browse/TEZ-4599?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910661#comment-17910661
]
Basapuram Kumar commented on TEZ-4599:
--------------------------------------
PR - https://github.com/apache/tez/pull/387
> Bump netty to 4.1.116 due to CVE
> --------------------------------
>
> Key: TEZ-4599
> URL: https://issues.apache.org/jira/browse/TEZ-4599
> Project: Apache Tez
> Issue Type: Improvement
> Reporter: Basapuram Kumar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Bump netty to 4.1.116 due to CVE-2024-47535.
> CVE-2024-47535 reference
> [https://nvd.nist.gov/vuln/detail/CVE-2024-47535]
>
> Description of the CVE
> {code:java}
> Netty is an asynchronous event-driven network application framework for rapid
> development of maintainable high performance protocol servers & clients. An
> unsafe reading of environment file could potentially cause a denial of
> service in Netty. When loaded on an Windows application, Netty attempts to
> load a file that does not exist. If an attacker creates such a large file,
> the Netty application crashes. This vulnerability is fixed in 4.1.115. {code}
> As per the above CVE, its fixed in netty-all>=4.1.115 versions.
> So Suggested to
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
