ZOOKEEPER-4209: Update Netty to 4.1.59.Final #1605
Conversation
frederiko
force-pushed
the
netty-4.1.59-update
branch
2 times, most recently
from
dbc1e55 to
6c304b7
Compare
|
I realized this GH Action has been failing for most PR at different tests (I had these tests failing at different tests), which seems an indication of environment issue. How is this approached since the Jenkins job passes correctly? |
There was a problem hiding this comment.
Thank you.
Would you mind also renaming the relevant *.LICENSE.txt files in the zookeeper-server/src/main/resources/lib directory? (This is annoying, and we should probably get rid of it. But let's keep things aligned for now.)
I realized this GH Action has been failing for most PR at different tests (I had these tests failing at different tests), which seems an indication of environment issue. How is this approached since the Jenkins job passes correctly?
This should soon be fix^H^H^H worked around: #1606.
Best, -D
frederiko
force-pushed
the
netty-4.1.59-update
branch
from
6c304b7 to
b2849d3
Compare
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes #1605 from frederiko/netty-4.1.59-update (cherry picked from commit 884fc38) Signed-off-by: Damien Diederen <[email protected]>
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes #1605 from frederiko/netty-4.1.59-update (cherry picked from commit 884fc38) Signed-off-by: Damien Diederen <[email protected]>
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes #1605 from frederiko/netty-4.1.59-update (cherry picked from commit 884fc38) Signed-off-by: Damien Diederen <[email protected]>
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes #1605 from frederiko/netty-4.1.59-update (cherry picked from commit 884fc38) Signed-off-by: Damien Diederen <[email protected]>
|
Picked into |
|
Many thanks! Lifesaver to me. Hope to contribute more soon. Quick question: what's the next step to get a new release (3.5.10?, 3.6.3?) - sorry, couldn't find the process ? |
|
@ztzg in order to pick this to branch-3.5 we have to add a new patch because in branch-3.5 we also have Ant/Ivy XML files to update @frederiko would you mind creating a second PR for branch-3.5 with the update of the Ivi dependency files ? |
|
Sure thing. I believe I have addressed on #1607 @eolivelli |
|
@eolivelli: Oops; sorry about that. |
@frederiko: I'm not aware of any process for triggering new releases, besides perhaps asking on the SNYK-JAVA-IONETTY-1020439 is described as a "Denial of Service" attack, and ZooKeeper is usually not exposed. So is this upgrade a "Lifesaver" because you have to comply with some "zero vulnerabilities" policy, or because you actually expect issues? Building ZooKeeper from Git is not very difficult, so that may be a temporary option? (In some contexts, we deploy self-built ZooKeeper instances as we still need a few patches applied on top of the branch(es)—meaning we automatically get the latest CVE fixes. In other contexts, we are trying to deploy pure releases, and are going to hit the same issue. As far as I can tell, the Maven model is kinda "anti-dependency-injection," so the only option seems to be accelerating the release cadence. A lot of work has been made to facilitate that, but I'm afraid, the project doesn't have a good answer for the manual work which is still needed.) @eolivelli: Am I missing something? |
|
You can only ask for a release on [email protected]. As said we released 3.5.9 last month...and this issue does not affect Zookeeper. So I am not sure we are really in an hurry. On the client side you can override the dependency. Btw, you can always ask and describe your needs. Then together as a community we will decide what to do |
|
@ztzg Yeah, this update is to reach zero vulnerability policy. "lifesaver" was a bad wording choice here. ;-) I don't really expect any issues. In regards to building, I was unaware of the release cadence, hence the question, and yes, I can try building myself and go from there, no need to raise the question to devs. @eolivelli Understood. I will certainly take any concerns to the community. In any case, I truly appreciate the speed which the PRs have been approved. |
No problem; I was just wondering. |
On PR #1605 eolivelli requested to also update the Ivy dependency file. This PR address the comment on #1605 (comment) Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes #1607 from frederiko/ivy-update
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes apache#1605 from frederiko/netty-4.1.59-update
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes apache#1605 from frederiko/netty-4.1.59-update
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes apache#1605 from frederiko/netty-4.1.59-update
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes apache#1605 from frederiko/netty-4.1.59-update
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes apache#1605 from frederiko/netty-4.1.59-update
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes apache#1605 from frederiko/netty-4.1.59-update
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 Author: Frederiko Costa <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Damien Diederen <[email protected]> Closes apache#1605 from frederiko/netty-4.1.59-update Co-authored-by: Frederiko Costa <[email protected]>
Update Netty to 4.1.59.Final on to address the vulnerability described at https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439