You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by Enrico Olivelli <eo...@gmail.com> on 2022/01/26 12:11:24 UTC

Updating dependencies due to OWASP checker failing

Hello,
before cutting new release we have to fix these issues:

[2022-01-25T13:12:17.229Z] netty-transport-4.1.70.Final.jar
(pkg:maven/io.netty/netty-transport@4.1.70.Final,
cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797
[2022-01-25T13:12:17.229Z] log4j-1.2.17.jar
(pkg:maven/log4j/log4j@1.2.17,
cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*) : CVE-2021-4104,
CVE-2022-23307

For Netty the fix is easy and I am going to send a patch soon.

For Log4j we are at this point:
- for 3.8 we are migrating to LogBack
- for 3.6 and 3.7 we are stuck to log4j1

One "compatible" option for 3.6 and 3.7 is to migrate to
https://reload4j.qos.ch/


See
https://ci-hadoop.apache.org/blue/organizations/jenkins/zookeeper-multi-branch-owasp


Enrico