You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@zookeeper.apache.org by GitBox <gi...@apache.org> on 2020/12/05 19:58:03 UTC

[GitHub] [zookeeper] ztzg opened a new pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

ztzg opened a new pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552


   Bump jetty.version to 9.4.35.v20201120.
   
   The [release notes](https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.35.v20201120)
   mention [issue 5605](https://github.com/eclipse/jetty.project/issues/5605):
   
   > java.io.IOException: unconsumed input during http request parsing
   
   which seems to match the description of
   [CVE-2020-27218](http://cve.circl.lu/cve/CVE-2020-27218)


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#issuecomment-750902115


   Merged in `master`.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] phunt commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

phunt commented on pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#issuecomment-745641605


   sg - +1 Thanks!


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on a change in pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg commented on a change in pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#discussion_r537747876



##########
File path: zookeeper-server/src/main/resources/lib/jetty-client-9.4.35.v20201120.LICENSE.txt
##########
@@ -1,8 +1,7 @@
 This program and the accompanying materials are made available under the
-terms of the Eclipse Public License 1.0 which is available at
-https://www.eclipse.org/org/documents/epl-1.0/EPL-1.0.txt
-or the Apache Software License 2.0 which is available at
-https://www.apache.org/licenses/LICENSE-2.0
+terms of the Eclipse Public License 2.0 which is available at

Review comment:
       (@phunt: In case you were suggesting to remove `jetty-client` from the POM in `master`, that would break [ZOOKEEPER-3948: Introduce a deterministic runtime behavior injection framework for ZooKeeperServer testing](https://github.com/apache/zookeeper/commit/4432f5b44359).)




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on a change in pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg commented on a change in pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#discussion_r536895120



##########
File path: zookeeper-server/src/main/resources/lib/jetty-client-9.4.35.v20201120.LICENSE.txt
##########
@@ -1,8 +1,7 @@
 This program and the accompanying materials are made available under the
-terms of the Eclipse Public License 1.0 which is available at
-https://www.eclipse.org/org/documents/epl-1.0/EPL-1.0.txt
-or the Apache Software License 2.0 which is available at
-https://www.apache.org/licenses/LICENSE-2.0
+terms of the Eclipse Public License 2.0 which is available at

Review comment:
       @phunt: This patch is for `master`, which still pulls `jetty-client`; I have noted that it should not be included in `branch-3.5`.
   
   @eolivelli: Yes, will do so.  And `branch-3.6`, too, as it does not cherry-pick clean.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

nkalmar commented on pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#issuecomment-743392139


   Looks like some jenkins issue:
   `autoreconf: cannot create /tmp/user/910/ar8984.26381: No such file or directory`


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] eolivelli commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

eolivelli commented on pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#issuecomment-750892920


   Yes go head please 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#issuecomment-750892156


   > And here are the sister PRs:
   > 
   > * `branch-3.6`: #1553
   > * `branch-3.5`: #1554
   
   I think we have enough approvals, and have had enough time to ponder the changes in these three PRs :)
   
   Should I just merge them?  @eolivelli, WDYT?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg closed pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg closed pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] phunt commented on a change in pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

phunt commented on a change in pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#discussion_r536891728



##########
File path: zookeeper-server/src/main/resources/lib/jetty-client-9.4.35.v20201120.LICENSE.txt
##########
@@ -1,8 +1,7 @@
 This program and the accompanying materials are made available under the
-terms of the Eclipse Public License 1.0 which is available at
-https://www.eclipse.org/org/documents/epl-1.0/EPL-1.0.txt
-or the Apache Software License 2.0 which is available at
-https://www.apache.org/licenses/LICENSE-2.0
+terms of the Eclipse Public License 2.0 which is available at

Review comment:
       It looks like jetty-client is no longer used - perhaps you can remove as part of this commit?
   
   You can double check - take a look at the binary artifact, this jar is not included. thx.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] nkalmar commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

nkalmar commented on pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#issuecomment-740208991


   @phunt can you please take another look? On 3.5, Damien removed the client license file:
   https://github.com/apache/zookeeper/pull/1554
   We can merge all 3 PRs once everything is all cleared up, and move forward with the 3.5.9 release. (3.5 branch's PR is all good, but I don't want to merge it before master)


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [zookeeper] ztzg commented on pull request #1552: ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Posted by GitBox <gi...@apache.org>.

ztzg commented on pull request #1552:
URL: https://github.com/apache/zookeeper/pull/1552#issuecomment-739419155


   And here are the sister PRs:
   
   * `branch-3.6`: https://github.com/apache/zookeeper/pull/1553
   * `branch-3.5`: https://github.com/apache/zookeeper/pull/1554


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org