You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@zookeeper.apache.org by GitBox <gi...@apache.org> on 2022/02/11 11:41:13 UTC

[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

symat commented on pull request #1817:
URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036119664


   Are we absolutely sure we can simply skip these checks for the netty-tcnative library? Isn't this something we use through netty when we do ClientTLS or QuorumTLS?
   
   I see in the pom.xml file that we use a quite recent netty, but a very old netty-tcnative-classes:
   ```
       <netty.version>4.1.73.Final</netty.version>
       <netty.tcnative.version>2.0.48.Final</netty.tcnative.version>
   
   (...)
   
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-handler</artifactId>
           <version>${netty.version}</version>
           <exclusions>
             <exclusion>
               <groupId>io.netty</groupId>
               <artifactId>netty-tcnative-classes</artifactId>
             </exclusion>
           </exclusions>
         </dependency>
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-epoll</artifactId>
           <version>${netty.version}</version>
         </dependency>
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-tcnative</artifactId>
           <version>${netty.tcnative.version}</version>
         </dependency>
     
   ```
   
   Some of these CVEs are actually quite scary (many affecting only the https admin api interface, but some can affect regular QuorumSSL and ClientSSL interfaces too, AFAICT).
   
   I also don't really understand what the netty-tcnative-classes artifact is. It is not mentioned in the documentation I found about netty-tcnative: https://netty.io/wiki/forked-tomcat-native.html


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@zookeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org