You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2021/03/18 03:18:27 UTC

[GitHub] [servicecomb-java-chassis] Neverstop opened a new issue #2299: Netty漏洞 CVE-2021-21295

Neverstop opened a new issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299


   请问我们servicecomb组件使用场景是否会涉及到


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] yhs0092 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

yhs0092 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-801626044


   Netty修改了API接口导致Vert.x的`io.vertx.core.http.impl.headers.VertxHttpHeaders#set(java.lang.CharSequence, java.lang.Object)`方法和Netty 4.1.60.Final不兼容.
   看了一下 Vert.x 3.9.6跟Netty 4.1.60都是不兼容的, 需要等Vert.x 3.9分支发布更新的版本才行……
   升级Netty的时候麻烦把Java-Chassis 1.3分支也修复一下, 谢谢 : )


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 closed issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

liubao68 closed issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-811568927


   目前计划直接使用4.x, 正在集成和验证， 这个版本有大量API不兼容


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-834036810


   这个版本继续使用vert.x 3， 在servciecomb 3.x版本再升级vert.x 4.x。 vert.x 3 版本目前和netty 4.1.60有兼容性问题， 有bug待修复， 需要等待 3.9.8及其以后的版本。 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] wujimin edited a comment on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

wujimin edited a comment on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-875199553


   https://github.com/netty/netty/issues/11334  
   
   已经修复，等4.1.66


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] qubo11 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

qubo11 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-875198238


   netty github上有没有这个问题的反馈链接哈？


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] yhs0092 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

yhs0092 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-811586413


   刚刚看到Netty的[4.1.61.Final release note](https://netty.io/news/2021/03/30/4-1-61-Final.html "Netty 4.1.61.Final released")里面显示, 4.1.60版本仍然有漏洞.
   Netty社区最新版本已经刷新到[4.1.62.Final](https://netty.io/news/2021/03/31/4-1-62-Final.html "Netty 4.1.62.Final released")了, 相对于61又修复了一个bug.
   如果要配套升级的话可以看看能否升到62呢?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] fu-hui commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

fu-hui commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-812355506


   
   io.vertx.core.http.impl.headers.VertxHttpHeaders#set(java.lang.CharSequence, java.lang.Object)
   
   VertX在使用4.1.60+Netty的时候Http报文解析流程变化了，才调用到如上函数。一个简单的解决方案是，对当前Vertx打个补丁，将VertxHttpHeaders#set、VertxHttpHeaders#add方法后面的Object对象先 toString一下。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-812460824


   已经计划升级到vert.x 4, https://github.com/apache/servicecomb-java-chassis/pull/2324/files
   
   java-chassis会持续使用开源软件的新版本，保持持续更新和集成， 参考[兼容问题和兼容性策略](https://docs.servicecomb.io/java-chassis/zh_CN/featured-topics/compatibility/).  
   
   使用java-chassis， 需要理解这个策略，持续集成和构建基础自动化能力， 降低升级风险。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] yhs0092 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

yhs0092 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-858392632


   @liubao68  Vert.x 3.9.8 已经发了. 麻烦升级一下 Java-Chassis 的 master 和 1.3 分支哈.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] wujimin commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

wujimin commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-875199553


   https://github.com/netty/netty/issues/11334


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] wujimin commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

wujimin commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-875182342


   netty 4.1.65承载文件上传的机制，概率性丢数据  
   这个机制不仅仅用于文件上传，好像post form数据，也会概率丢失（这个没确认）


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-861360693


   目前netty 4.1.60+版本都有影响重要功能的bug，不能使用。 需要等待 4.1.66 及以上版本


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-801589515


   https://nvd.nist.gov/vuln/detail/CVE-2021-21295


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-886354699


   fixed


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] yhs0092 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

yhs0092 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-810902942


   贴一个Vert.x社区的issue  https://github.com/eclipse-vertx/vert.x/issues/3865
   看来Vert.x近期会发布 3.9.7，兼容 Netty 4.1.60.Final


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] wujimin commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

wujimin commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-801659977


   vertx要不要考虑升级到4.x？


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] qubo11 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

qubo11 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-875201758


   好的，感谢。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] qubo11 commented on issue #2299: Netty漏洞 CVE-2021-21295

Posted by GitBox <gi...@apache.org>.

qubo11 commented on issue #2299:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2299#issuecomment-874789638


   vertx升级到了3.9.8，netty默认依赖4.1.65。java-chassis-dependencies 2.1.5 会有功能问题吗？
   我们暂时运行，没发现报错的地方。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org