Skip to content

update netty and zookeeper#16267

Merged
xvrl merged 2 commits intoapache:masterfrom
janjwerner-confluent:cve-cleanup
Apr 16, 2024
Merged

update netty and zookeeper#16267
xvrl merged 2 commits intoapache:masterfrom
janjwerner-confluent:cve-cleanup

Conversation

@janjwerner-confluent
Copy link
Copy Markdown
Contributor

@janjwerner-confluent janjwerner-confluent commented Apr 11, 2024
edited
Loading

Description

Update dependencies to address CVEs:

  • Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
  • Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

Release note

  • Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
  • Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@findingrish
Copy link
Copy Markdown
Contributor

findingrish commented Apr 15, 2024

Hi @janjwerner-confluent, thanks for the change.

To fix the build failure, I think we will have to update the io.netty:netty-tcnative-boringssl-static version in licenses.yaml.
The netty version upgrade is bringing in a higher version of this dependency in azure-extension module.

[INFO] +- com.azure:azure-identity:jar:1.11.1:compile
[INFO] |  +- com.azure:azure-core-http-netty:jar:1.13.11:compile
[INFO] |  |  +- io.netty:netty-codec-http2:jar:4.1.108.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-unix-common:jar:4.1.108.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.108.Final:compile
[INFO] |  |  |  \- io.netty:netty-transport-classes-kqueue:jar:4.1.108.Final:compile
[INFO] |  |  +- io.netty:netty-tcnative-boringssl-static:jar:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-classes:jar:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.65.Final:compile
[INFO] |  |  |  +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.65.Final:compile
[INFO] |  |  |  \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.65.Final:compile

@janjwerner-confluent
Copy link
Copy Markdown
Contributor Author

janjwerner-confluent commented Apr 15, 2024

Hey @findingrish
I'm on it, just got stuck with other work and could not follow up on this.
Thanks!

@xvrl xvrl merged commit c45da43 into apache:master Apr 16, 2024
@janjwerner-confluent janjwerner-confluent deleted the cve-cleanup branch April 16, 2024 03:48
@adarshsanjeev adarshsanjeev added this to the 30.0.0 milestone May 6, 2024
@adarshsanjeev adarshsanjeev mentioned this pull request May 28, 2024
Closed
pagrawal10 pushed a commit to confluentinc/druid that referenced this pull request Jun 1, 2024
@janjwerner-confluent @pagrawal10
update netty and zookeeper dependencies to address CVEs (apache#16267)
6e6d278 
 Update dependencies to address CVEs:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

Release notes:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944
pagrawal10 pushed a commit to confluentinc/druid that referenced this pull request Jun 1, 2024
@janjwerner-confluent @pagrawal10
update netty and zookeeper dependencies to address CVEs (apache#16267)
8540445 
 Update dependencies to address CVEs:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

Release notes:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944
@pagrawal10 pagrawal10 mentioned this pull request Jun 1, 2024
Merged
10 tasks
pagrawal10 pushed a commit to confluentinc/druid that referenced this pull request Jun 3, 2024
@janjwerner-confluent @pagrawal10
update netty and zookeeper dependencies to address CVEs (apache#16267)
12d31f0 
 Update dependencies to address CVEs:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944

Release notes:
- Update netty from 4.1.107.Final to 4.1.108.Final to address: CVE-2024-29025
- Update zookeeper from 3.8.3 to 3.8.4 to address: CVE-2024-23944
@nozjkoitop nozjkoitop mentioned this pull request Sep 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xvrl xvrl xvrl approved these changes

Assignees

No one assigned

Labels

Area - Dependencies

Projects

None yet

Milestone

30.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@janjwerner-confluent @findingrish @xvrl @adarshsanjeev