You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flume.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2022/01/25 02:43:00 UTC

[jira] [Resolved] (FLUME-3363) CVE-2019-20445

     [ https://issues.apache.org/jira/browse/FLUME-3363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ralph Goers resolved FLUME-3363.
--------------------------------
    Resolution: Fixed

> CVE-2019-20445
> --------------
>
>                 Key: FLUME-3363
>                 URL: https://issues.apache.org/jira/browse/FLUME-3363
>             Project: Flume
>          Issue Type: Improvement
>          Components: Channel
>    Affects Versions: 1.9.0
>            Reporter: dlzp
>            Priority: Blocker
>              Labels: Upgrade, netty, version
>             Fix For: 1.10.0
>
>
> flume-ng-core-1.9.0 requires the Netty component, and the required version is as follows:
> <dependency>
>  <groupId>io.netty</groupId>
>  <artifactId>netty</artifactId>
>  <version>3.10.6.Final</version>
> </dependency>
> I think we should upgrade Netty to its latest version: netty-4.1.45.Final. The reasons are as follows:
> The CVE-2019-20445 vulnerability exists in netty-3.10.6.Final: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. For details see: https://nvd.nist.gov/vuln/detail/CVE-2019-20445
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@flume.apache.org
For additional commands, e-mail: issues-help@flume.apache.org