Hi Daniel, I remember that the migration from Netty 3 to 4 wasn't a trivial task, so I would not expect it in any future ZK 3.4 release.
But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not really problematic since they are backward compatible. We have done it for many Hadoop component, without big code changes (if you use Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK). So the best is to try ZK 3.5.6. Regards, Tamaas On Sat, Nov 23, 2019, 00:52 Daniel Chan <[email protected]> wrote: > Hi, > > From > https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.4.14, > Zookeeper depends on Netty 3.10.6.Final. > > However, Netty has CVEs for versions prior to 4.1.42.Final as per > https://nvd.nist.gov/vuln/detail/CVE-2019-16869: > Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP > headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP > request smuggling. > > Will Zookeeper (both client and server) work if we use Netty 4.1.42.Final > or above instead? > > Also what jars are needed for the Zookeeper Client? > > Thanks, > Daniel >
