You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flume.apache.org by "Mike Percy (JIRA)" <ji...@apache.org> on 2017/07/05 19:49:00 UTC

[jira] [Commented] (FLUME-3115) Upgrade netty library dependency

    [ https://issues.apache.org/jira/browse/FLUME-3115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075293#comment-16075293 ] 

Mike Percy commented on FLUME-3115:
-----------------------------------

The CVE says versions of Netty prior to 3.9.2 are vulnerable to a DoS attack when using SslHandler. Curator is pulling in the old netty version. The version that Flume depends on (looking at trunk) is 3.9.4 but it's possible that since both are on the classpath either one may actually be being used.

Really, Curator and Flume should both probably be shading Netty.

Flume may be vulnerable to this DoS today because it uses SslHandler in a couple of places:

{code}
$ ag -l SslHandler
flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
flume-ng-core/src/test/java/org/apache/flume/source/TestAvroSource.java
flume-ng-core/src/test/java/org/apache/flume/sink/TestAvroSink.java
flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java
{code}

> Upgrade netty library dependency
> --------------------------------
>
>                 Key: FLUME-3115
>                 URL: https://issues.apache.org/jira/browse/FLUME-3115
>             Project: Flume
>          Issue Type: Bug
>    Affects Versions: 1.7.0
>            Reporter: Attila Simon
>            Priority: Critical
>              Labels: dependency
>             Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |io.netty|netty|3.2.2.Final, 3.9.4.Final|4.1.12.Final|
> Note: This artifact was moved to:
> - New Group	io.netty
> - New Artifact	netty-all
> Security vulnerability: http://www.cvedetails.com/cve/CVE-2014-3488/
> Please do:
> - double check the newest version. 
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)