Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 #21397

Merged
merged 1 commit into from
Oct 19, 2023
Merged

[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 #21397

merged 1 commit into from
Oct 19, 2023

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Oct 19, 2023

Motivation

OWASP dependency check reports CVE-2023-44487 for Netty (and also Jetty).

Modifications

Upgrade Netty to 4.1.100.
Release notes: https://netty.io/news/2023/10/10/4-1-100-Final.html

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari added this to the 3.2.0 milestone Oct 19, 2023
@lhotari lhotari self-assigned this Oct 19, 2023
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 19, 2023
@codecov-commenter
Copy link

Codecov Report

Merging #21397 (3c932df) into master (b1bca56) will increase coverage by 0.03%.
Report is 5 commits behind head on master.
The diff coverage is 100.00%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #21397      +/-   ##
============================================
+ Coverage     73.27%   73.30%   +0.03%     
+ Complexity    32581    32473     -108     
============================================
  Files          1888     1888              
  Lines        140282   140279       -3     
  Branches      15415    15416       +1     
============================================
+ Hits         102790   102834      +44     
+ Misses        29415    29350      -65     
- Partials       8077     8095      +18
Flag Coverage Δ
inttests 24.19% <50.00%> (+0.03%) ⬆️
systests 24.74% <0.00%> (+0.03%) ⬆️
unittests 72.58% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
...sar/broker/service/persistent/PersistentTopic.java 79.44% <100.00%> (+0.15%) ⬆️

... and 76 files with indirect coverage changes

@Technoboy- Technoboy- merged commit aae6c71 into apache:master Oct 19, 2023
47 of 49 checks passed
poorbarcode pushed a commit that referenced this pull request Oct 24, 2023
@lhotari @poorbarcode
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (#21397)
b931ad2 
(cherry picked from commit aae6c71)
@compuguy
Copy link

Can this be marked/labeled cherry-picked/branch-3.1? This would go great with #21395.

lhotari added a commit that referenced this pull request Oct 26, 2023
@lhotari
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (#21397)
6d8e17f 
(cherry picked from commit aae6c71)

# Conflicts:
#	buildtools/pom.xml
#	distribution/server/src/assemble/LICENSE.bin.txt
#	distribution/shell/src/assemble/LICENSE.bin.txt
#	pom.xml
#	pulsar-sql/presto-distribution/LICENSE
@lhotari
Copy link
Member Author

lhotari commented Oct 26, 2023

Can this be marked/labeled cherry-picked/branch-3.1? This would go great with #21395.

@compuguy cherry picked together with #21395 to branch-3.1 .

@compuguy compuguy mentioned this pull request Oct 26, 2023
Merged
4 tasks
@CTTY
Copy link

CTTY commented Nov 30, 2023

Would this be backported to 2.x version of pulsar?

liangyepianzhou pushed a commit to streamnative/pulsar-archived that referenced this pull request Dec 12, 2023
@lhotari @liangyepianzhou
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (apache…
89ea4b9 
…#21397)

(cherry picked from commit aae6c71)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 12, 2023
@lhotari @nikhil-ctds
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (apache…
11d7d4f 
…#21397)

(cherry picked from commit aae6c71)

 Conflicts:
	buildtools/pom.xml
	distribution/server/src/assemble/LICENSE.bin.txt
	distribution/shell/src/assemble/LICENSE.bin.txt
@nikhil-ctds nikhil-ctds mentioned this pull request Dec 12, 2023
Closed
4 tasks
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 14, 2023
@lhotari @srinath-ctds
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (apache…
c1f5e09 
…#21397)

(cherry picked from commit aae6c71)

 Conflicts:
	buildtools/pom.xml
	distribution/server/src/assemble/LICENSE.bin.txt
	distribution/shell/src/assemble/LICENSE.bin.txt
liangyepianzhou pushed a commit that referenced this pull request Dec 14, 2023
@lhotari @liangyepianzhou
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (#21397)
2f00fb9 
(cherry picked from commit aae6c71)
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@lhotari @nikhil-ctds
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (apache…
ce9174e 
…#21397)

(cherry picked from commit aae6c71)

# Conflicts:
#	buildtools/pom.xml
#	distribution/server/src/assemble/LICENSE.bin.txt
#	distribution/shell/src/assemble/LICENSE.bin.txt
#	pom.xml
#	pulsar-sql/presto-distribution/LICENSE
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 20, 2023
@lhotari @srinath-ctds
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (apache…
b03ffac 
…#21397)

(cherry picked from commit aae6c71)

# Conflicts:
#	buildtools/pom.xml
#	distribution/server/src/assemble/LICENSE.bin.txt
#	distribution/shell/src/assemble/LICENSE.bin.txt
#	pom.xml
#	pulsar-sql/presto-distribution/LICENSE
liangyepianzhou pushed a commit that referenced this pull request Jan 11, 2024
@lhotari @liangyepianzhou
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (#21397)
036f791 
(cherry picked from commit aae6c71)
(cherry picked from commit 2f00fb9)
liangyepianzhou added a commit to liangyepianzhou/pulsar that referenced this pull request Feb 16, 2024
@liangyepianzhou
Revert "[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (
fe4b7ff 
…apache#21397)"

This reverts commit 2f00fb9.
nodece pushed a commit to nodece/pulsar that referenced this pull request Feb 23, 2024
@lhotari @nodece
[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (apache…
43cde8d 
…#21397)

(cherry picked from commit aae6c71)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Technoboy- Technoboy- Technoboy- approved these changes

@tisonkun tisonkun Awaiting requested review from tisonkun

@mattisonchao mattisonchao Awaiting requested review from mattisonchao

Assignees

@lhotari lhotari

Labels
area/security cherry-picked/branch-2.10 cherry-picked/branch-3.0 cherry-picked/branch-3.1 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.10.6 release/3.0.2 release/3.1.2
Projects
None yet
Milestone
3.2.0
Development

Successfully merging this pull request may close these issues.
7 participants
@lhotari @codecov-commenter @compuguy @CTTY @Technoboy- @poorbarcode @liangyepianzhou