I don't see a patch on that jira and based on the linked thread it seems like folks were against revving 3.4. If you're interested/motivated perhaps you can submit a patch? I'm sure @Andor Molnár <[email protected]> won't mind. ;-)
Also: just remove the netty files from the binary. iirc if you're using NIO we don't try to load netty and it should just work. I haven't tried this in quite some time though, we could have added a dependency. I'd suggest giving it a try. Patrick On Mon, Nov 25, 2019 at 10:39 AM Daniel Chan <[email protected]> wrote: > Thanks Patrick and Tamas for the information. > > Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568? > > We are currently running on 3.4.9 server and 3.4.6 client. If moving to > 3.5.6, should we upgrade the server or client first? > > Thanks, > Daniel > > -----Original Message----- > From: Patrick Hunt <[email protected]> > Sent: Monday, November 25, 2019 9:55 AM > To: UserZooKeeper <[email protected]> > Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final? > > This was discussed relatively recently: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ&e= > > Gist is that while the identified issue didn't affect us directly folks > should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version > of netty that's no longer supported and too difficult to upgrade. > > Patrick > > > On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes <[email protected] > > > wrote: > > > Hi Daniel, > > > > I remember that the migration from Netty 3 to 4 wasn't a trivial task, > > so I would not expect it in any future ZK 3.4 release. > > > > But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not > > really problematic since they are backward compatible. We have done it > > for many Hadoop component, without big code changes (if you use > > Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK). > > > > So the best is to try ZK 3.5.6. > > > > Regards, Tamaas > > > > On Sat, Nov 23, 2019, 00:52 Daniel Chan <[email protected]> > wrote: > > > > > Hi, > > > > > > From > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c > > > om_artifact_org.apache.zookeeper_zookeeper_3.4.14&d=DwIBaQ&c=RoP1Yum > > > CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18h > > > zzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=PL7JU > > > eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc&e= > > , > > > Zookeeper depends on Netty 3.10.6.Final. > > > > > > However, Netty has CVEs for versions prior to 4.1.42.Final as per > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg&e= > : > > > Netty before 4.1.42.Final mishandles whitespace before the colon in > > > HTTP headers (such as a "Transfer-Encoding : chunked" line), which > > > leads to > > HTTP > > > request smuggling. > > > > > > Will Zookeeper (both client and server) work if we use Netty > > > 4.1.42.Final or above instead? > > > > > > Also what jars are needed for the Zookeeper Client? > > > > > > Thanks, > > > Daniel > > > > > >
