You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by eo...@apache.org on 2023/01/19 10:57:38 UTC
[zookeeper] branch master updated: ZOOKEEPER-4649: Upgrade netty to 4.1.86 because of CVE-2022-41915 (#1963)
This is an automated email from the ASF dual-hosted git repository.
eolivelli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/master by this push:
new c7e15cee1 ZOOKEEPER-4649: Upgrade netty to 4.1.86 because of CVE-2022-41915 (#1963)
c7e15cee1 is described below
commit c7e15cee13abcfcad7bece2631716d5238c566a3
Author: Mate Szalay-Beko <sy...@apache.org>
AuthorDate: Thu Jan 19 11:57:30 2023 +0100
ZOOKEEPER-4649: Upgrade netty to 4.1.86 because of CVE-2022-41915 (#1963)
Co-authored-by: Mate Szalay-Beko <sy...@apache.com>
---
pom.xml | 2 +-
zookeeper-server/src/main/resources/NOTICE.txt | 225 ++++++++++++++++-----
...E.txt => netty-buffer-4.1.86.Final.LICENSE.txt} | 0
...SE.txt => netty-codec-4.1.86.Final.LICENSE.txt} | 0
....txt => netty-handler-4.1.86.Final.LICENSE.txt} | 0
...txt => netty-resolver-4.1.86.Final.LICENSE.txt} | 0
...ransport-native-epoll-4.1.86.Final.LICENSE.txt} | 0
...rt-native-unix-common-4.1.86.Final.LICENSE.txt} | 0
8 files changed, 172 insertions(+), 55 deletions(-)
diff --git a/pom.xml b/pom.xml
index 9de520a8d..232584547 100755
--- a/pom.xml
+++ b/pom.xml
@@ -558,7 +558,7 @@
<mockito.version>3.6.28</mockito.version>
<hamcrest.version>2.2</hamcrest.version>
<commons-cli.version>1.4</commons-cli.version>
- <netty.version>4.1.76.Final</netty.version>
+ <netty.version>4.1.86.Final</netty.version>
<jetty.version>9.4.49.v20220914</jetty.version>
<jackson.version>2.13.2.1</jackson.version>
<jline.version>2.14.6</jline.version>
diff --git a/zookeeper-server/src/main/resources/NOTICE.txt b/zookeeper-server/src/main/resources/NOTICE.txt
index efdd6b439..03601608e 100644
--- a/zookeeper-server/src/main/resources/NOTICE.txt
+++ b/zookeeper-server/src/main/resources/NOTICE.txt
@@ -11,10 +11,10 @@ for Airlift code can be found at:
https://github.com/airlift/airlift/blob/master/LICENSE
This product includes software developed by
-The Netty Project (http://netty.io/)
-Copyright 2011 The Netty Project
-
-The Netty NOTICE file contains the following items:
+The Netty Project (http://netty.io/) Copyright 2011 The Netty Project
+The Netty NOTICE file (https://github.com/netty/netty/blob/4.1/NOTICE.txt)
+contains the following items:
+---------------- start of netty NOTICE file ----------------
This product contains the extensions to Java Collections Framework which has
been derived from the works by JSR-166 EG, Doug Lea, and Jason T. Greene:
@@ -32,29 +32,112 @@ Base64 Encoder and Decoder, which can be obtained at:
* HOMEPAGE:
* http://iharder.sourceforge.net/current/java/base64/
-This product contains a modified version of 'JZlib', a re-implementation of
-zlib in pure Java, which can be obtained at:
+This product contains a modified portion of 'Webbit', an event based
+WebSocket and HTTP server, which can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.webbit.txt (BSD License)
+ * HOMEPAGE:
+ * https://github.com/joewalnes/webbit
+
+This product contains a modified portion of 'SLF4J', a simple logging
+facade for Java, which can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.slf4j.txt (MIT License)
+ * HOMEPAGE:
+ * https://www.slf4j.org/
+
+This product contains a modified portion of 'Apache Harmony', an open source
+Java SE, which can be obtained at:
+ * NOTICE:
+ * license/NOTICE.harmony.txt
* LICENSE:
- * license/LICENSE.jzlib.txt (BSD Style License)
+ * license/LICENSE.harmony.txt (Apache License 2.0)
+ * HOMEPAGE:
+ * https://archive.apache.org/dist/harmony/
+
+This product contains a modified portion of 'jbzip2', a Java bzip2 compression
+and decompression library written by Matthew J. Francis. It can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.jbzip2.txt (MIT License)
+ * HOMEPAGE:
+ * https://code.google.com/p/jbzip2/
+
+This product contains a modified portion of 'libdivsufsort', a C API library to construct
+the suffix array and the Burrows-Wheeler transformed string for any input string of
+a constant-size alphabet written by Yuta Mori. It can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.libdivsufsort.txt (MIT License)
+ * HOMEPAGE:
+ * https://github.com/y-256/libdivsufsort
+
+This product contains a modified portion of Nitsan Wakart's 'JCTools', Java Concurrency Tools for the JVM,
+ which can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.jctools.txt (ASL2 License)
+ * HOMEPAGE:
+ * https://github.com/JCTools/JCTools
+
+This product optionally depends on 'JZlib', a re-implementation of zlib in
+pure Java, which can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.jzlib.txt (BSD style License)
* HOMEPAGE:
* http://www.jcraft.com/jzlib/
-This product contains a modified version of 'Webbit', a Java event based
-WebSocket and HTTP server:
+This product optionally depends on 'Compress-LZF', a Java library for encoding and
+decoding data in LZF format, written by Tatu Saloranta. It can be obtained at:
* LICENSE:
- * license/LICENSE.webbit.txt (BSD License)
+ * license/LICENSE.compress-lzf.txt (Apache License 2.0)
* HOMEPAGE:
- * https://github.com/joewalnes/webbit
+ * https://github.com/ning/compress
+
+This product optionally depends on 'lz4', a LZ4 Java compression
+and decompression library written by Adrien Grand. It can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.lz4.txt (Apache License 2.0)
+ * HOMEPAGE:
+ * https://github.com/jpountz/lz4-java
+
+This product optionally depends on 'lzma-java', a LZMA Java compression
+and decompression library, which can be obtained at:
-This product optionally depends on 'Protocol Buffers', Google's data
+ * LICENSE:
+ * license/LICENSE.lzma-java.txt (Apache License 2.0)
+ * HOMEPAGE:
+ * https://github.com/jponge/lzma-java
+
+This product optionally depends on 'zstd-jni', a zstd-jni Java compression
+and decompression library, which can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.zstd-jni.txt (Apache License 2.0)
+ * HOMEPAGE:
+ * https://github.com/luben/zstd-jni
+
+This product contains a modified portion of 'jfastlz', a Java port of FastLZ compression
+and decompression library written by William Kinney. It can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.jfastlz.txt (MIT License)
+ * HOMEPAGE:
+ * https://code.google.com/p/jfastlz/
+
+This product contains a modified portion of and optionally depends on 'Protocol Buffers', Google's data
interchange format, which can be obtained at:
* LICENSE:
* license/LICENSE.protobuf.txt (New BSD License)
* HOMEPAGE:
- * http://code.google.com/p/protobuf/
+ * https://github.com/google/protobuf
This product optionally depends on 'Bouncy Castle Crypto APIs' to generate
a temporary self-signed X.509 certificate when the JVM does not provide the
@@ -63,15 +146,31 @@ equivalent functionality. It can be obtained at:
* LICENSE:
* license/LICENSE.bouncycastle.txt (MIT License)
* HOMEPAGE:
- * http://www.bouncycastle.org/
+ * https://www.bouncycastle.org/
-This product optionally depends on 'SLF4J', a simple logging facade for Java,
-which can be obtained at:
+This product optionally depends on 'Snappy', a compression library produced
+by Google Inc, which can be obtained at:
* LICENSE:
- * license/LICENSE.slf4j.txt (MIT License)
+ * license/LICENSE.snappy.txt (New BSD License)
* HOMEPAGE:
- * http://www.slf4j.org/
+ * https://github.com/google/snappy
+
+This product optionally depends on 'JBoss Marshalling', an alternative Java
+serialization API, which can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.jboss-marshalling.txt (Apache License 2.0)
+ * HOMEPAGE:
+ * https://github.com/jboss-remoting/jboss-marshalling
+
+This product optionally depends on 'Caliper', Google's micro-
+benchmarking framework, which can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.caliper.txt (Apache License 2.0)
+ * HOMEPAGE:
+ * https://github.com/google/caliper
This product optionally depends on 'Apache Commons Logging', a logging
framework, which can be obtained at:
@@ -79,61 +178,79 @@ framework, which can be obtained at:
* LICENSE:
* license/LICENSE.commons-logging.txt (Apache License 2.0)
* HOMEPAGE:
- * http://commons.apache.org/logging/
+ * https://commons.apache.org/logging/
-This product optionally depends on 'Apache Logback', a logging framework,
-which can be obtained at:
+This product optionally depends on 'Apache Log4J', a logging framework, which
+can be obtained at:
* LICENSE:
- * license/LICENSE.logback.txt (Eclipse Public License 1.0)
+ * license/LICENSE.log4j.txt (Apache License 2.0)
* HOMEPAGE:
- * https://logback.qos.ch/
+ * https://logging.apache.org/log4j/
-This product optionally depends on 'JBoss Logging', a logging framework,
-which can be obtained at:
+This product optionally depends on 'Aalto XML', an ultra-high performance
+non-blocking XML processor, which can be obtained at:
* LICENSE:
- * license/LICENSE.jboss-logging.txt (GNU LGPL 2.1)
+ * license/LICENSE.aalto-xml.txt (Apache License 2.0)
* HOMEPAGE:
- * http://anonsvn.jboss.org/repos/common/common-logging-spi/
+ * https://wiki.fasterxml.com/AaltoHome
-This product optionally depends on 'Apache Felix', an open source OSGi
-framework implementation, which can be obtained at:
+This product contains a modified version of 'HPACK', a Java implementation of
+the HTTP/2 HPACK algorithm written by Twitter. It can be obtained at:
* LICENSE:
- * license/LICENSE.felix.txt (Apache License 2.0)
+ * license/LICENSE.hpack.txt (Apache License 2.0)
* HOMEPAGE:
- * http://felix.apache.org/
+ * https://github.com/twitter/hpack
-The bundled library Metrics Core NOTICE file reports the following items
+This product contains a modified version of 'HPACK', a Java implementation of
+the HTTP/2 HPACK algorithm written by Cory Benfield. It can be obtained at:
-Metrics
-Copyright 2010-2013 Coda Hale and Yammer, Inc.
+ * LICENSE:
+ * license/LICENSE.hyper-hpack.txt (MIT License)
+ * HOMEPAGE:
+ * https://github.com/python-hyper/hpack/
-This product includes software developed by Coda Hale and Yammer, Inc.
+This product contains a modified version of 'HPACK', a Java implementation of
+the HTTP/2 HPACK algorithm written by Tatsuhiro Tsujikawa. It can be obtained at:
-This product includes code derived from the JSR-166 project (ThreadLocalRandom, Striped64,
-LongAdder), which was released with the following comments:
+ * LICENSE:
+ * license/LICENSE.nghttp2-hpack.txt (MIT License)
+ * HOMEPAGE:
+ * https://github.com/nghttp2/nghttp2/
- Written by Doug Lea with assistance from members of JCP JSR-166
- Expert Group and released to the public domain, as explained at
- http://creativecommons.org/publicdomain/zero/1.0/
+This product contains a modified portion of 'Apache Commons Lang', a Java library
+provides utilities for the java.lang API, which can be obtained at:
-The Nappy Java NOTICE file reports the following items:
+ * LICENSE:
+ * license/LICENSE.commons-lang.txt (Apache License 2.0)
+ * HOMEPAGE:
+ * https://commons.apache.org/proper/commons-lang/
-This product includes software developed by Google
- Snappy: http://code.google.com/p/snappy/ (New BSD License)
-This product includes software developed by Apache
- PureJavaCrc32C from apache-hadoop-common http://hadoop.apache.org/
- (Apache 2.0 license)
+This product contains the Maven wrapper scripts from 'Maven Wrapper', that provides an easy way to ensure a user has everything necessary to run the Maven build.
-This library containd statically linked libstdc++. This inclusion is allowed by
-"GCC RUntime Library Exception"
-http://gcc.gnu.org/onlinedocs/libstdc++/manual/license.html
+ * LICENSE:
+ * license/LICENSE.mvn-wrapper.txt (Apache License 2.0)
+ * HOMEPAGE:
+ * https://github.com/takari/maven-wrapper
+
+This product contains the dnsinfo.h header file, that provides a way to retrieve the system DNS configuration on MacOS.
+This private header is also used by Apple's open source
+ mDNSResponder (https://opensource.apple.com/tarballs/mDNSResponder/).
+
+ * LICENSE:
+ * license/LICENSE.dnsinfo.txt (Apple Public Source License 2.0)
+ * HOMEPAGE:
+ * https://www.opensource.apple.com/source/configd/configd-453.19/dnsinfo/dnsinfo.h
+
+This product optionally depends on 'Brotli4j', Brotli compression and
+decompression for Java., which can be obtained at:
+
+ * LICENSE:
+ * license/LICENSE.brotli4j.txt (Apache License 2.0)
+ * HOMEPAGE:
+ * https://github.com/hyperxpro/Brotli4j
-== Contributors ==
- * Tatu Saloranta
- * Providing benchmark suite
- * Alec Wysoker
- * Performance and memory usage improvement
+---------------- end of netty NOTICE file ----------------
\ No newline at end of file
diff --git a/zookeeper-server/src/main/resources/lib/netty-buffer-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-buffer-4.1.86.Final.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/netty-buffer-4.1.76.Final.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/netty-buffer-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-codec-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-codec-4.1.86.Final.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/netty-codec-4.1.76.Final.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/netty-codec-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-handler-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-handler-4.1.86.Final.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/netty-handler-4.1.76.Final.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/netty-handler-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-resolver-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-resolver-4.1.86.Final.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/netty-resolver-4.1.76.Final.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/netty-resolver-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-transport-native-epoll-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-transport-native-epoll-4.1.86.Final.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/netty-transport-native-epoll-4.1.76.Final.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/netty-transport-native-epoll-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-transport-native-unix-common-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-transport-native-unix-common-4.1.86.Final.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/netty-transport-native-unix-common-4.1.76.Final.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/netty-transport-native-unix-common-4.1.86.Final.LICENSE.txt