You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Daniel Chan <da...@oracle.com> on 2019/11/22 23:50:30 UTC
Does ZK 3.4.14 support Netty 4.1.42.Final?
Hi,
From https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.4.14, Zookeeper depends on Netty 3.10.6.Final.
However, Netty has CVEs for versions prior to 4.1.42.Final as per https://nvd.nist.gov/vuln/detail/CVE-2019-16869:
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
Will Zookeeper (both client and server) work if we use Netty 4.1.42.Final or above instead?
Also what jars are needed for the Zookeeper Client?
Thanks,
Daniel
Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
Posted by Enrico Olivelli <eo...@gmail.com>.
Il lun 25 nov 2019, 19:39 Daniel Chan <da...@oracle.com> ha
scritto:
> Thanks Patrick and Tamas for the information.
>
> Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568?
>
> We are currently running on 3.4.9 server and 3.4.6 client. If moving to
> 3.5.6, should we upgrade the server or client first?
>
If you are using only 3.4 features (that's should be quite obvious because
you are on 3.4) you can upgrade client and server in any order.
I have been running with 3.5 client and 3.4 in production since years
without issue
Enrico
> Thanks,
> Daniel
>
> -----Original Message-----
> From: Patrick Hunt <ph...@apache.org>
> Sent: Monday, November 25, 2019 9:55 AM
> To: UserZooKeeper <us...@zookeeper.apache.org>
> Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
>
> This was discussed relatively recently:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ&e=
>
> Gist is that while the identified issue didn't affect us directly folks
> should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version
> of netty that's no longer supported and too difficult to upgrade.
>
> Patrick
>
>
> On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes <tamaas@cloudera.com.invalid
> >
> wrote:
>
> > Hi Daniel,
> >
> > I remember that the migration from Netty 3 to 4 wasn't a trivial task,
> > so I would not expect it in any future ZK 3.4 release.
> >
> > But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not
> > really problematic since they are backward compatible. We have done it
> > for many Hadoop component, without big code changes (if you use
> > Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK).
> >
> > So the best is to try ZK 3.5.6.
> >
> > Regards, Tamaas
> >
> > On Sat, Nov 23, 2019, 00:52 Daniel Chan <da...@oracle.com>
> wrote:
> >
> > > Hi,
> > >
> > > From
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c
> > > om_artifact_org.apache.zookeeper_zookeeper_3.4.14&d=DwIBaQ&c=RoP1Yum
> > > CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18h
> > > zzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=PL7JU
> > > eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc&e=
> > ,
> > > Zookeeper depends on Netty 3.10.6.Final.
> > >
> > > However, Netty has CVEs for versions prior to 4.1.42.Final as per
> > >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg&e=
> :
> > > Netty before 4.1.42.Final mishandles whitespace before the colon in
> > > HTTP headers (such as a "Transfer-Encoding : chunked" line), which
> > > leads to
> > HTTP
> > > request smuggling.
> > >
> > > Will Zookeeper (both client and server) work if we use Netty
> > > 4.1.42.Final or above instead?
> > >
> > > Also what jars are needed for the Zookeeper Client?
> > >
> > > Thanks,
> > > Daniel
> > >
> >
>
Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
Posted by Andor Molnar <an...@apache.org>.
Oh, great, I’m still having my incomplete patch locally for that Jira.
Abandoned a while ago, but I think I can come back to this possibly tomorrow.
Thanks for the heads up! :)
Andor
> On 2019. Nov 25., at 19:39, Daniel Chan <da...@oracle.com> wrote:
>
> Thanks Patrick and Tamas for the information.
>
> Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568?
>
> We are currently running on 3.4.9 server and 3.4.6 client. If moving to 3.5.6, should we upgrade the server or client first?
>
> Thanks,
> Daniel
>
> -----Original Message-----
> From: Patrick Hunt <ph...@apache.org>
> Sent: Monday, November 25, 2019 9:55 AM
> To: UserZooKeeper <us...@zookeeper.apache.org>
> Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
>
> This was discussed relatively recently:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ&e=
>
> Gist is that while the identified issue didn't affect us directly folks should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version of netty that's no longer supported and too difficult to upgrade.
>
> Patrick
>
>
> On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes <ta...@cloudera.com.invalid>
> wrote:
>
>> Hi Daniel,
>>
>> I remember that the migration from Netty 3 to 4 wasn't a trivial task,
>> so I would not expect it in any future ZK 3.4 release.
>>
>> But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not
>> really problematic since they are backward compatible. We have done it
>> for many Hadoop component, without big code changes (if you use
>> Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK).
>>
>> So the best is to try ZK 3.5.6.
>>
>> Regards, Tamaas
>>
>> On Sat, Nov 23, 2019, 00:52 Daniel Chan <da...@oracle.com> wrote:
>>
>>> Hi,
>>>
>>> From
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c
>>> om_artifact_org.apache.zookeeper_zookeeper_3.4.14&d=DwIBaQ&c=RoP1Yum
>>> CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18h
>>> zzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=PL7JU
>>> eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc&e=
>> ,
>>> Zookeeper depends on Netty 3.10.6.Final.
>>>
>>> However, Netty has CVEs for versions prior to 4.1.42.Final as per
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg&e= :
>>> Netty before 4.1.42.Final mishandles whitespace before the colon in
>>> HTTP headers (such as a "Transfer-Encoding : chunked" line), which
>>> leads to
>> HTTP
>>> request smuggling.
>>>
>>> Will Zookeeper (both client and server) work if we use Netty
>>> 4.1.42.Final or above instead?
>>>
>>> Also what jars are needed for the Zookeeper Client?
>>>
>>> Thanks,
>>> Daniel
>>>
>>
Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
Posted by Patrick Hunt <ph...@apache.org>.
I don't see a patch on that jira and based on the linked thread it seems
like folks were against revving 3.4. If you're interested/motivated perhaps
you can submit a patch? I'm sure @Andor Molnár <an...@apache.org> won't
mind. ;-)
Also: just remove the netty files from the binary. iirc if you're using NIO
we don't try to load netty and it should just work. I haven't tried this in
quite some time though, we could have added a dependency. I'd suggest
giving it a try.
Patrick
On Mon, Nov 25, 2019 at 10:39 AM Daniel Chan <da...@oracle.com>
wrote:
> Thanks Patrick and Tamas for the information.
>
> Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568?
>
> We are currently running on 3.4.9 server and 3.4.6 client. If moving to
> 3.5.6, should we upgrade the server or client first?
>
> Thanks,
> Daniel
>
> -----Original Message-----
> From: Patrick Hunt <ph...@apache.org>
> Sent: Monday, November 25, 2019 9:55 AM
> To: UserZooKeeper <us...@zookeeper.apache.org>
> Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
>
> This was discussed relatively recently:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ&e=
>
> Gist is that while the identified issue didn't affect us directly folks
> should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version
> of netty that's no longer supported and too difficult to upgrade.
>
> Patrick
>
>
> On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes <tamaas@cloudera.com.invalid
> >
> wrote:
>
> > Hi Daniel,
> >
> > I remember that the migration from Netty 3 to 4 wasn't a trivial task,
> > so I would not expect it in any future ZK 3.4 release.
> >
> > But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not
> > really problematic since they are backward compatible. We have done it
> > for many Hadoop component, without big code changes (if you use
> > Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK).
> >
> > So the best is to try ZK 3.5.6.
> >
> > Regards, Tamaas
> >
> > On Sat, Nov 23, 2019, 00:52 Daniel Chan <da...@oracle.com>
> wrote:
> >
> > > Hi,
> > >
> > > From
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c
> > > om_artifact_org.apache.zookeeper_zookeeper_3.4.14&d=DwIBaQ&c=RoP1Yum
> > > CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18h
> > > zzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=PL7JU
> > > eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc&e=
> > ,
> > > Zookeeper depends on Netty 3.10.6.Final.
> > >
> > > However, Netty has CVEs for versions prior to 4.1.42.Final as per
> > >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg&e=
> :
> > > Netty before 4.1.42.Final mishandles whitespace before the colon in
> > > HTTP headers (such as a "Transfer-Encoding : chunked" line), which
> > > leads to
> > HTTP
> > > request smuggling.
> > >
> > > Will Zookeeper (both client and server) work if we use Netty
> > > 4.1.42.Final or above instead?
> > >
> > > Also what jars are needed for the Zookeeper Client?
> > >
> > > Thanks,
> > > Daniel
> > >
> >
>
RE: Does ZK 3.4.14 support Netty 4.1.42.Final?
Posted by Daniel Chan <da...@oracle.com>.
Thanks Patrick and Tamas for the information.
Is there any ETA on https://issues.apache.org/jira/browse/ZOOKEEPER-3568?
We are currently running on 3.4.9 server and 3.4.6 client. If moving to 3.5.6, should we upgrade the server or client first?
Thanks,
Daniel
-----Original Message-----
From: Patrick Hunt <ph...@apache.org>
Sent: Monday, November 25, 2019 9:55 AM
To: UserZooKeeper <us...@zookeeper.apache.org>
Subject: Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
This was discussed relatively recently:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a-40-253Cdev.zookeeper.apache.org-253E&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=pRvPNkgqtf35FPguSMVExKsUyE1EYZcI3trC9TpwszQ&e=
Gist is that while the identified issue didn't affect us directly folks should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version of netty that's no longer supported and too difficult to upgrade.
Patrick
On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes <ta...@cloudera.com.invalid>
wrote:
> Hi Daniel,
>
> I remember that the migration from Netty 3 to 4 wasn't a trivial task,
> so I would not expect it in any future ZK 3.4 release.
>
> But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not
> really problematic since they are backward compatible. We have done it
> for many Hadoop component, without big code changes (if you use
> Curator, don't forget to use 4.2.0+ and exclude it's own beta ZK).
>
> So the best is to try ZK 3.5.6.
>
> Regards, Tamaas
>
> On Sat, Nov 23, 2019, 00:52 Daniel Chan <da...@oracle.com> wrote:
>
> > Hi,
> >
> > From
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__mvnrepository.c
> > om_artifact_org.apache.zookeeper_zookeeper_3.4.14&d=DwIBaQ&c=RoP1Yum
> > CXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18h
> > zzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=PL7JU
> > eCo6BJ1AJDl7Egx5u7-xSEf3SnaECIWRnvMoGc&e=
> ,
> > Zookeeper depends on Netty 3.10.6.Final.
> >
> > However, Netty has CVEs for versions prior to 4.1.42.Final as per
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2019-2D16869&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=JE3yjNS4hXa8nS9n2uFCwEqMvv18hzzEnqunUhCoEns&m=BbAVeHS1OYH8LyYFALpMB3Y_LWoECeuvBs41uJRNkAQ&s=K0DkivRX3n0O2CrM65WwY-BsIsqbeTQRjwL6hVTfjFg&e= :
> > Netty before 4.1.42.Final mishandles whitespace before the colon in
> > HTTP headers (such as a "Transfer-Encoding : chunked" line), which
> > leads to
> HTTP
> > request smuggling.
> >
> > Will Zookeeper (both client and server) work if we use Netty
> > 4.1.42.Final or above instead?
> >
> > Also what jars are needed for the Zookeeper Client?
> >
> > Thanks,
> > Daniel
> >
>
Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
Posted by Patrick Hunt <ph...@apache.org>.
This was discussed relatively recently:
https://lists.apache.org/thread.html/680038b345da49a3d5cb452de5d54d62f14d1df0747690980c218c1a@%3Cdev.zookeeper.apache.org%3E
Gist is that while the identified issue didn't affect us directly folks
should move to 3.5 (or don't use netty in 3.4) given 3.4 is using a version
of netty that's no longer supported and too difficult to upgrade.
Patrick
On Sat, Nov 23, 2019 at 12:36 AM Tamas Penzes <ta...@cloudera.com.invalid>
wrote:
> Hi Daniel,
>
> I remember that the migration from Netty 3 to 4 wasn't a trivial task, so I
> would not expect it in any future ZK 3.4 release.
>
> But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not
> really problematic since they are backward compatible. We have done it for
> many Hadoop component, without big code changes (if you use Curator, don't
> forget to use 4.2.0+ and exclude it's own beta ZK).
>
> So the best is to try ZK 3.5.6.
>
> Regards, Tamaas
>
> On Sat, Nov 23, 2019, 00:52 Daniel Chan <da...@oracle.com> wrote:
>
> > Hi,
> >
> > From
> > https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.4.14
> ,
> > Zookeeper depends on Netty 3.10.6.Final.
> >
> > However, Netty has CVEs for versions prior to 4.1.42.Final as per
> > https://nvd.nist.gov/vuln/detail/CVE-2019-16869:
> > Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP
> > headers (such as a "Transfer-Encoding : chunked" line), which leads to
> HTTP
> > request smuggling.
> >
> > Will Zookeeper (both client and server) work if we use Netty 4.1.42.Final
> > or above instead?
> >
> > Also what jars are needed for the Zookeeper Client?
> >
> > Thanks,
> > Daniel
> >
>
Re: Does ZK 3.4.14 support Netty 4.1.42.Final?
Posted by Tamas Penzes <ta...@cloudera.com.INVALID>.
Hi Daniel,
I remember that the migration from Netty 3 to 4 wasn't a trivial task, so I
would not expect it in any future ZK 3.4 release.
But we have ZK 3.5.5 and 3.5.6 and the migration to any of them is not
really problematic since they are backward compatible. We have done it for
many Hadoop component, without big code changes (if you use Curator, don't
forget to use 4.2.0+ and exclude it's own beta ZK).
So the best is to try ZK 3.5.6.
Regards, Tamaas
On Sat, Nov 23, 2019, 00:52 Daniel Chan <da...@oracle.com> wrote:
> Hi,
>
> From
> https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.4.14,
> Zookeeper depends on Netty 3.10.6.Final.
>
> However, Netty has CVEs for versions prior to 4.1.42.Final as per
> https://nvd.nist.gov/vuln/detail/CVE-2019-16869:
> Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP
> headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP
> request smuggling.
>
> Will Zookeeper (both client and server) work if we use Netty 4.1.42.Final
> or above instead?
>
> Also what jars are needed for the Zookeeper Client?
>
> Thanks,
> Daniel
>