You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@arrow.apache.org by li...@apache.org on 2023/06/21 19:22:44 UTC
[arrow] branch main updated: GH-36209: [Java] Upgrade Netty due to security vulnerability (#36211)
This is an automated email from the ASF dual-hosted git repository.
lidavidm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow.git
The following commit(s) were added to refs/heads/main by this push:
new ea4f03ac16 GH-36209: [Java] Upgrade Netty due to security vulnerability (#36211)
ea4f03ac16 is described below
commit ea4f03ac166e3961b59f29f60dcd160fbed29894
Author: Bryan Cutler <cu...@gmail.com>
AuthorDate: Wed Jun 21 12:22:38 2023 -0700
GH-36209: [Java] Upgrade Netty due to security vulnerability (#36211)
### Rationale for this change
Upgrading Netty dependency due to CVE https://github.com/advisories/GHSA-6mjq-h674-j845
This also requires a patch to arrow-memory
### What changes are included in this PR?
Upgrading Netty, gRPC and Protobuf dependencies
### Are these changes tested?
Existing tests
### Are there any user-facing changes?
No
**This PR contains a "Critical Fix".**
netty-handler SniHandler 16MB allocation
The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap.
https://github.com/advisories/GHSA-6mjq-h674-j845
* Closes: #36209
Authored-by: Bryan Cutler <cu...@gmail.com>
Signed-off-by: David Li <li...@gmail.com>
---
.../src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java | 2 +-
java/pom.xml | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java b/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
index fc6fc5d2b6..74b7a8530c 100644
--- a/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
+++ b/java/memory/memory-netty/src/main/java/io/netty/buffer/PooledByteBufAllocatorL.java
@@ -161,7 +161,7 @@ public class PooledByteBufAllocatorL {
}
private UnsafeDirectLittleEndian newDirectBufferL(int initialCapacity, int maxCapacity) {
- PoolThreadCache cache = threadCache();
+ PoolArenasCache cache = threadCache();
PoolArena<ByteBuffer> directArena = cache.directArena;
if (directArena != null) {
diff --git a/java/pom.xml b/java/pom.xml
index ce393fed87..ccb2a2b72d 100644
--- a/java/pom.xml
+++ b/java/pom.xml
@@ -33,9 +33,9 @@
<dep.junit.jupiter.version>5.9.0</dep.junit.jupiter.version>
<dep.slf4j.version>1.7.25</dep.slf4j.version>
<dep.guava-bom.version>31.1-jre</dep.guava-bom.version>
- <dep.netty-bom.version>4.1.82.Final</dep.netty-bom.version>
- <dep.grpc-bom.version>1.49.1</dep.grpc-bom.version>
- <dep.protobuf-bom.version>3.21.6</dep.protobuf-bom.version>
+ <dep.netty-bom.version>4.1.94.Final</dep.netty-bom.version>
+ <dep.grpc-bom.version>1.56.0</dep.grpc-bom.version>
+ <dep.protobuf-bom.version>3.23.1</dep.protobuf-bom.version>
<dep.jackson-bom.version>2.15.1</dep.jackson-bom.version>
<dep.hadoop.version>2.7.1</dep.hadoop.version>
<dep.fbs.version>1.12.0</dep.fbs.version>