Michael Han created ZOOKEEPER-2423: -------------------------------------- Summary: Upgrade Netty version due to security vulnerability (CVE-2014-3488) Key: ZOOKEEPER-2423 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2423 Project: ZooKeeper Issue Type: Bug Components: security, server Affects Versions: 3.5.1, 3.4.8, 3.6.0 Reporter: Michael Han Assignee: Michael Han Priority: Critical Fix For: 3.4.9, 3.5.2, 3.6.0
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message [1]. We are using netty 3.7.x in ZK for 3.4/3.5/3.6, which is affected by this vulnerability. We should upgrade Netty version to a later version that fixed this issue. I am leaning towards to upgrade Netty version to 3.10.5 [2], which is the latest release of the major version (3) that ZK 3.4/5/6 is using. Thoughts on which Netty version we should upgrade to? [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3488 [2] http://netty.io/news/ -- This message was sent by Atlassian JIRA (v6.3.4#6332)