You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Erick Erickson (Jira)" <ji...@apache.org> on 2020/03/14 17:23:00 UTC

[jira] [Comment Edited] (SOLR-14296) Update netty to 4.1.47

    [ https://issues.apache.org/jira/browse/SOLR-14296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17059414#comment-17059414 ] 

Erick Erickson edited comment on SOLR-14296 at 3/14/20, 5:22 PM:
-----------------------------------------------------------------

I found some weirdness between the Gradle build (versions.lock) while working on upgrading ZK, so I'll do both at once. Curiously, the gradle version was 4.1.45, not sure how it got there.

 Meanwhile, 4.1.47 came out so I'll upgrade to that.

Thanks [~asalamon74]  for doing the work on this, I'm glad you found the issue with 1.45, that'll make things easier.


was (Author: erickerickson):
I found some weirdness between the Gradle build (versions.lock) while working on upgrading ZK, so I'll do both at once. Curiously, the gradle version was 4.1.45, not sure how it got there.

 

Thanks [~asalamon74]  for doing the work on this, I'm glad you found the issue with 1.45, that'll make things easier.

> Update netty to 4.1.47
> ----------------------
>
>                 Key: SOLR-14296
>                 URL: https://issues.apache.org/jira/browse/SOLR-14296
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Andras Salamon
>            Priority: Minor
>         Attachments: SOLR-14296-01.patch
>
>
> There are two CVEs against the current netty version:
> [https://nvd.nist.gov/vuln/detail/CVE-2019-20444]
>  [https://nvd.nist.gov/vuln/detail/CVE-2019-20445]
> Although solr is not affected it would be still good to update netty.
> The first non-affected netty version is 4.1.45 but during the update I've found a netty bug ( [https://github.com/netty/netty/issues/10017] ) so it's better to update to 4.1.46



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org