You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@storm.apache.org by "Jungtaek Lim (JIRA)" <ji...@apache.org> on 2018/02/01 04:37:00 UTC

[jira] [Commented] (STORM-2918) Upgrade Netty version

    [ https://issues.apache.org/jira/browse/STORM-2918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16348000#comment-16348000 ] 

Jungtaek Lim commented on STORM-2918:
-------------------------------------

[~dbist13]

We're utilizing fix version(s) to determine which version we reflected the change, hence it should be labeled while merging the patch.

Btw, we are in progress of voting to release Storm 1.2.0/1.1.2/1.0.6 altogether, so please also vote -1 in ongoing RCs if you're subscribing storm-dev mailing list.

> Upgrade Netty version
> ---------------------
>
>                 Key: STORM-2918
>                 URL: https://issues.apache.org/jira/browse/STORM-2918
>             Project: Apache Storm
>          Issue Type: Bug
>          Components: storm-core
>    Affects Versions: 2.0.0, 1.1.1, 1.2.0, 1.0.5
>         Environment: rev: f37a6bd99d10f65a43becadcd7f7615715e5dc0b
> jdk: 1.8.0_162
> mvn: 3.5.2
>            Reporter: Artem Ervits
>            Assignee: Artem Ervits
>            Priority: Blocker
>              Labels: newbie, pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> netty 3.9.0 has been out since June 2014, netty 3.9.9 has been released in July 2015. On top of it, there are two known CVEs for netty below 3.9.2
> CVE-20140193 [https://www.us-cert.gov/ncas/bulletins/SB14-132]
> CVE-20143488 [https://www.cvedetails.com/cve/CVE-2014-3488/]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)