You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@zookeeper.apache.org by GitBox <gi...@apache.org> on 2020/12/05 21:33:58 UTC

[GitHub] [zookeeper] ztzg opened a new pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

ztzg opened a new pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554


   Bump jetty.version to 9.4.35.v20201120.
   
   The [release notes](https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.35.v20201120)
   mention [issues 5605](https://github.com/eclipse/jetty.project/issues/5605):
   
   > java.io.IOException: unconsumed input during http request parsing
   
   which seems to match the description of
   [CVE-2020-27218](http://cve.circl.lu/cve/CVE-2020-27218)


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554#issuecomment-750902054


   Merged in `branch-3.5`.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on a change in pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

nkalmar commented on a change in pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554#discussion_r537103170



##########
File path: zookeeper-server/src/main/resources/lib/jetty-http-9.4.35.v20201120.LICENSE.txt
##########
@@ -1,8 +1,7 @@
 This program and the accompanying materials are made available under the
-terms of the Eclipse Public License 1.0 which is available at
-https://www.eclipse.org/org/documents/epl-1.0/EPL-1.0.txt
-or the Apache Software License 2.0 which is available at
-https://www.apache.org/licenses/LICENSE-2.0
+terms of the Eclipse Public License 2.0 which is available at

Review comment:
       Please remove this license file as 3.5 no longer uses jetty-client. Thank you!




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg closed pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg closed pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554#issuecomment-739568940


   > In branch 3.5 we also have a ant/ivy base build.
   > We should update the Ivy file as well
   
   Indeed; I had missed that!  Done.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar edited a comment on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

nkalmar edited a comment on pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554#issuecomment-740209494


   @eolivelli PTAL, ant build is also fixed.
   
   edit: waiting on master branch PR if Patrick wants to take another look, but feel free to commit if you feel like everything is a go Enrico. Otherwise I will probably try to commit them tomorrow.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554#issuecomment-739569331


   > This will need to be cherry-picked to 3.5.9 branch as well. (Reminder for me or if I'm not the one merging to fellow committers).
   
   This one already is for 3.5.9.  There are sister PRs:
   
   * `master`: https://github.com/apache/zookeeper/pull/1552
   * `branch-3.6`: https://github.com/apache/zookeeper/pull/1553
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

nkalmar commented on pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554#issuecomment-739547910


   This will need to be cherry-picked to 3.5.9 branch as well. (Reminder for me or if I'm not the one merging to fellow committers). 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on a change in pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

nkalmar commented on a change in pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554#discussion_r537104103



##########
File path: zookeeper-server/src/main/resources/lib/jetty-http-9.4.35.v20201120.LICENSE.txt
##########
@@ -1,8 +1,7 @@
 This program and the accompanying materials are made available under the
-terms of the Eclipse Public License 1.0 which is available at
-https://www.eclipse.org/org/documents/epl-1.0/EPL-1.0.txt
-or the Apache Software License 2.0 which is available at
-https://www.apache.org/licenses/LICENSE-2.0
+terms of the Eclipse Public License 2.0 which is available at

Review comment:
       I'm seeing my comment on jetty-http on the main page, but on "files" page I commented on jetty-client. Strange. But it's the jetty-client that we don't need.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

nkalmar commented on pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554#issuecomment-740209494


   @eolivelli PTAL, ant build is also fixed.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on a change in pull request #1554: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg commented on a change in pull request #1554:
URL: https://github.com/apache/zookeeper/pull/1554#discussion_r537131764



##########
File path: zookeeper-server/src/main/resources/lib/jetty-http-9.4.35.v20201120.LICENSE.txt
##########
@@ -1,8 +1,7 @@
 This program and the accompanying materials are made available under the
-terms of the Eclipse Public License 1.0 which is available at
-https://www.eclipse.org/org/documents/epl-1.0/EPL-1.0.txt
-or the Apache Software License 2.0 which is available at
-https://www.apache.org/licenses/LICENSE-2.0
+terms of the Eclipse Public License 2.0 which is available at

Review comment:
       > Please remove this license file as 3.5 no longer uses jetty-client. Thank you!
   >
   > I'm seeing my comment on jetty-http on the main page, but on "files" page I commented on jetty-client. Strange. But it's the jetty-client that we don't need.
   
   I had already removed `jetty-client` on this branch:
   
   ```
   $ ls zookeeper-server/src/main/resources/lib/jetty-*
   zookeeper-server/src/main/resources/lib/jetty-http-9.4.35.v20201120.LICENSE.txt
   zookeeper-server/src/main/resources/lib/jetty-io-9.4.35.v20201120.LICENSE.txt
   zookeeper-server/src/main/resources/lib/jetty-security-9.4.35.v20201120.LICENSE.txt
   zookeeper-server/src/main/resources/lib/jetty-server-9.4.35.v20201120.LICENSE.txt
   zookeeper-server/src/main/resources/lib/jetty-servlet-9.4.35.v20201120.LICENSE.txt
   zookeeper-server/src/main/resources/lib/jetty-util-9.4.35.v20201120.LICENSE.txt
   zookeeper-server/src/main/resources/lib/jetty-util-ajax-9.4.35.v20201120.LICENSE.txt
   ```
   
   The reason you are observing a mix-up, and your comment landed in a strange place, is because Git thinks I have renamed `jetty-client-9.4.34` to `jetty-http-9.4.35`, etc., and that I have deleted `jetty-server-9.4.34`!  (Similar contents and different file names throw its rename detector off.)
   
   The result is correct.  The Git commit is correct.  It's only the diff which *appears* wrong (it is actually correct, but overly convoluted).
   
   So unless I'm missing something else, I think we're good.
   
   




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org