Il lun 25 nov 2019, 19:39 Daniel Chan <daniel.cw.c...@oracle.com> ha scritto:
> Thanks Patrick and Tamas for the information. > > Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568? > > We are currently running on 3.4.9 server and 3.4.6 client. If moving to > 3.5.6, should we upgrade the server or client first? > If you are using only 3.4 features (that's should be quite obvious because you are on 3.4) you can upgrade client and server in any order. I have been running with 3.5 client and 3.4 in production since years without issue Enrico > Thanks, > Daniel > > -----Original Message----- > From: Patrick Hunt <ph...@apache.org> > Sent: Monday, November 25, 2019 9:55 AM > To: UserZooKeeper <user@zookeeper.apache.org> > Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final? > > This was discussed relatively recently: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ&e= > > Gist is that while the identified issue didn't affect us directly folks > should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version > of netty that's no longer supported and too difficult to upgrade. > > Patrick > > > On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes <tam...@cloudera.com.invalid > > > wrote: > > > Hi Daniel, > > > > I remember that the migration from Netty 3 to 4 wasn't a trivial task, > > so I would not expect it in any future ZK 3.4 release. > > > > But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not > > really problematic since they are backward compatible. We have done it > > for many Hadoop component, without big code changes (if you use > > Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK). > > > > So the best is to try ZK 3.5.6. > > > > Regards, Tamaas > > > > On Sat, Nov 23, 2019, 00:52 Daniel Chan <daniel.cw.c...@oracle.com> > wrote: > > > > > Hi, > > > > > > From > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c > > > om_artifact_org.apache.zookeeper_zookeeper_3.4.14&d=DwIBaQ&c=RoP1Yum > > > CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18h > > > zzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=PL7JU > > > eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc&e= > > , > > > Zookeeper depends on Netty 3.10.6.Final. > > > > > > However, Netty has CVEs for versions prior to 4.1.42.Final as per > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg&e= > : > > > Netty before 4.1.42.Final mishandles whitespace before the colon in > > > HTTP headers (such as a "Transfer-Encoding : chunked" line), which > > > leads to > > HTTP > > > request smuggling. > > > > > > Will Zookeeper (both client and server) work if we use Netty > > > 4.1.42.Final or above instead? > > > > > > Also what jars are needed for the Zookeeper Client? > > > > > > Thanks, > > > Daniel > > > > > >