Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
Oh, great, I’m still having my incomplete patch locally for that Jira. Abandoned a while ago, but I think I can come back to this possibly tomorrow. Thanks for the heads up! :) Andor > On 2019. Nov 25., at 19:39, Daniel Chan wrote: > > Thanks Patrick and Tamas for the information. > > Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568? > > We are currently running on 3.4.9 server and 3.4.6 client. If moving to > 3.5.6, should we upgrade the server or client first? > > Thanks, > Daniel > > -Original Message- > From: Patrick Hunt > Sent: Monday, November 25, 2019 9:55 AM > To: UserZooKeeper > Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final? > > This was discussed relatively recently: > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E=DwIBaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ= > > > Gist is that while the identified issue didn't affect us directly folks > should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version > of netty that's no longer supported and too difficult to upgrade. > > Patrick > > > On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes > wrote: > >> Hi Daniel, >> >> I remember that the migration from Netty 3 to 4 wasn't a trivial task, >> so I would not expect it in any future ZK 3.4 release. >> >> But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not >> really problematic since they are backward compatible. We have done it >> for many Hadoop component, without big code changes (if you use >> Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK). >> >> So the best is to try ZK 3.5.6. >> >> Regards, Tamaas >> >> On Sat, Nov 23, 2019, 00:52 Daniel Chan wrote: >> >>> Hi, >>> >>> From >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c >>> om_artifact_org.apache.zookeeper_zookeeper_3.4.14=DwIBaQ=RoP1Yum >>> CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18h >>> zzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=PL7JU >>> eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc= >> , >>> Zookeeper depends on Netty 3.10.6.Final. >>> >>> However, Netty has CVEs for versions prior to 4.1.42.Final as per >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869=DwIBaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg= >>> : >>> Netty before 4.1.42.Final mishandles whitespace before the colon in >>> HTTP headers (such as a "Transfer-Encoding : chunked" line), which >>> leads to >> HTTP >>> request smuggling. >>> >>> Will Zookeeper (both client and server) work if we use Netty >>> 4.1.42.Final or above instead? >>> >>> Also what jars are needed for the Zookeeper Client? >>> >>> Thanks, >>> Daniel >>> >>
Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
Il lun 25 nov 2019, 19:39 Daniel Chan ha scritto: > Thanks Patrick and Tamas for the information. > > Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568? > > We are currently running on 3.4.9 server and 3.4.6 client. If moving to > 3.5.6, should we upgrade the server or client first? > If you are using only 3.4 features (that's should be quite obvious because you are on 3.4) you can upgrade client and server in any order. I have been running with 3.5 client and 3.4 in production since years without issue Enrico > Thanks, > Daniel > > -Original Message- > From: Patrick Hunt > Sent: Monday, November 25, 2019 9:55 AM > To: UserZooKeeper > Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final? > > This was discussed relatively recently: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E=DwIBaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ= > > Gist is that while the identified issue didn't affect us directly folks > should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version > of netty that's no longer supported and too difficult to upgrade. > > Patrick > > > On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes > > wrote: > > > Hi Daniel, > > > > I remember that the migration from Netty 3 to 4 wasn't a trivial task, > > so I would not expect it in any future ZK 3.4 release. > > > > But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not > > really problematic since they are backward compatible. We have done it > > for many Hadoop component, without big code changes (if you use > > Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK). > > > > So the best is to try ZK 3.5.6. > > > > Regards, Tamaas > > > > On Sat, Nov 23, 2019, 00:52 Daniel Chan > wrote: > > > > > Hi, > > > > > > From > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c > > > om_artifact_org.apache.zookeeper_zookeeper_3.4.14=DwIBaQ=RoP1Yum > > > CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18h > > > zzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=PL7JU > > > eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc= > > , > > > Zookeeper depends on Netty 3.10.6.Final. > > > > > > However, Netty has CVEs for versions prior to 4.1.42.Final as per > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869=DwIBaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg= > : > > > Netty before 4.1.42.Final mishandles whitespace before the colon in > > > HTTP headers (such as a "Transfer-Encoding : chunked" line), which > > > leads to > > HTTP > > > request smuggling. > > > > > > Will Zookeeper (both client and server) work if we use Netty > > > 4.1.42.Final or above instead? > > > > > > Also what jars are needed for the Zookeeper Client? > > > > > > Thanks, > > > Daniel > > > > > >
Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
I don't see a patch on that jira and based on the linked thread it seems like folks were against revving 3.4. If you're interested/motivated perhaps you can submit a patch? I'm sure @Andor Molnár won't mind. ;-) Also: just remove the netty files from the binary. iirc if you're using NIO we don't try to load netty and it should just work. I haven't tried this in quite some time though, we could have added a dependency. I'd suggest giving it a try. Patrick On Mon, Nov 25, 2019 at 10:39 AM Daniel Chan wrote: > Thanks Patrick and Tamas for the information. > > Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568? > > We are currently running on 3.4.9 server and 3.4.6 client. If moving to > 3.5.6, should we upgrade the server or client first? > > Thanks, > Daniel > > -Original Message- > From: Patrick Hunt > Sent: Monday, November 25, 2019 9:55 AM > To: UserZooKeeper > Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final? > > This was discussed relatively recently: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E=DwIBaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ= > > Gist is that while the identified issue didn't affect us directly folks > should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version > of netty that's no longer supported and too difficult to upgrade. > > Patrick > > > On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes > > wrote: > > > Hi Daniel, > > > > I remember that the migration from Netty 3 to 4 wasn't a trivial task, > > so I would not expect it in any future ZK 3.4 release. > > > > But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not > > really problematic since they are backward compatible. We have done it > > for many Hadoop component, without big code changes (if you use > > Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK). > > > > So the best is to try ZK 3.5.6. > > > > Regards, Tamaas > > > > On Sat, Nov 23, 2019, 00:52 Daniel Chan > wrote: > > > > > Hi, > > > > > > From > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c > > > om_artifact_org.apache.zookeeper_zookeeper_3.4.14=DwIBaQ=RoP1Yum > > > CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18h > > > zzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=PL7JU > > > eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc= > > , > > > Zookeeper depends on Netty 3.10.6.Final. > > > > > > However, Netty has CVEs for versions prior to 4.1.42.Final as per > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869=DwIBaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg= > : > > > Netty before 4.1.42.Final mishandles whitespace before the colon in > > > HTTP headers (such as a "Transfer-Encoding : chunked" line), which > > > leads to > > HTTP > > > request smuggling. > > > > > > Will Zookeeper (both client and server) work if we use Netty > > > 4.1.42.Final or above instead? > > > > > > Also what jars are needed for the Zookeeper Client? > > > > > > Thanks, > > > Daniel > > > > > >
RE: Does ZK 3.4.14 support Netty 4.1.42.Final?
Thanks Patrick and Tamas for the information. Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568? We are currently running on 3.4.9 server and 3.4.6 client. If moving to 3.5.6, should we upgrade the server or client first? Thanks, Daniel -Original Message- From: Patrick Hunt Sent: Monday, November 25, 2019 9:55 AM To: UserZooKeeper Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final? This was discussed relatively recently: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E=DwIBaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ= Gist is that while the identified issue didn't affect us directly folks should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version of netty that's no longer supported and too difficult to upgrade. Patrick On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes wrote: > Hi Daniel, > > I remember that the migration from Netty 3 to 4 wasn't a trivial task, > so I would not expect it in any future ZK 3.4 release. > > But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not > really problematic since they are backward compatible. We have done it > for many Hadoop component, without big code changes (if you use > Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK). > > So the best is to try ZK 3.5.6. > > Regards, Tamaas > > On Sat, Nov 23, 2019, 00:52 Daniel Chan wrote: > > > Hi, > > > > From > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c > > om_artifact_org.apache.zookeeper_zookeeper_3.4.14=DwIBaQ=RoP1Yum > > CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18h > > zzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=PL7JU > > eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc= > , > > Zookeeper depends on Netty 3.10.6.Final. > > > > However, Netty has CVEs for versions prior to 4.1.42.Final as per > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869=DwIBaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg= > > : > > Netty before 4.1.42.Final mishandles whitespace before the colon in > > HTTP headers (such as a "Transfer-Encoding : chunked" line), which > > leads to > HTTP > > request smuggling. > > > > Will Zookeeper (both client and server) work if we use Netty > > 4.1.42.Final or above instead? > > > > Also what jars are needed for the Zookeeper Client? > > > > Thanks, > > Daniel > > >
Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
This was discussed relatively recently: https://lists.apache.org/thread.html/680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a@%3Cdev.zookeeper.apache.org%3E Gist is that while the identified issue didn't affect us directly folks should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version of netty that's no longer supported and too difficult to upgrade. Patrick On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes wrote: > Hi Daniel, > > I remember that the migration from Netty 3 to 4 wasn't a trivial task, so I > would not expect it in any future ZK 3.4 release. > > But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not > really problematic since they are backward compatible. We have done it for > many Hadoop component, without big code changes (if you use Curator, don't > forget to use 4.2.0+ and exclude it's own beta ZK). > > So the best is to try ZK 3.5.6. > > Regards, Tamaas > > On Sat, Nov 23, 2019, 00:52 Daniel Chan wrote: > > > Hi, > > > > From > > https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.4.14 > , > > Zookeeper depends on Netty 3.10.6.Final. > > > > However, Netty has CVEs for versions prior to 4.1.42.Final as per > > https://nvd.nist.gov/vuln/detail/CVE-2019-16869: > > Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP > > headers (such as a "Transfer-Encoding : chunked" line), which leads to > HTTP > > request smuggling. > > > > Will Zookeeper (both client and server) work if we use Netty 4.1.42.Final > > or above instead? > > > > Also what jars are needed for the Zookeeper Client? > > > > Thanks, > > Daniel > > >
Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
Hi Daniel, I remember that the migration from Netty 3 to 4 wasn't a trivial task, so I would not expect it in any future ZK 3.4 release. But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not really problematic since they are backward compatible. We have done it for many Hadoop component, without big code changes (if you use Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK). So the best is to try ZK 3.5.6. Regards, Tamaas On Sat, Nov 23, 2019, 00:52 Daniel Chan wrote: > Hi, > > From > https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.4.14, > Zookeeper depends on Netty 3.10.6.Final. > > However, Netty has CVEs for versions prior to 4.1.42.Final as per > https://nvd.nist.gov/vuln/detail/CVE-2019-16869: > Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP > headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP > request smuggling. > > Will Zookeeper (both client and server) work if we use Netty 4.1.42.Final > or above instead? > > Also what jars are needed for the Zookeeper Client? > > Thanks, > Daniel >
Does ZK 3.4.14 support Netty 4.1.42.Final?
Hi, >From https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.4.14, >Zookeeper depends on Netty 3.10.6.Final. However, Netty has CVEs for versions prior to 4.1.42.Final as per https://nvd.nist.gov/vuln/detail/CVE-2019-16869: Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Will Zookeeper (both client and server) work if we use Netty 4.1.42.Final or above instead? Also what jars are needed for the Zookeeper Client? Thanks, Daniel