You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/03/03 16:11:00 UTC
[jira] [Commented] (DRILL-7790) Build Drill with Netty version
4.1.50.Final
[ https://issues.apache.org/jira/browse/DRILL-7790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17294630#comment-17294630 ]
ASF GitHub Bot commented on DRILL-7790:
---------------------------------------
rymarm opened a new pull request #2185:
URL: https://github.com/apache/drill/pull/2185
# [DRILL-7790](https://issues.apache.org/jira/browse/DRILL-7790): Build Drill with Netty version 4.1.50.Final
`Netty` of version `4.0.48.Final` has vulnerabilities as CVE-2019-16869, CVE-2014-3488 and other. I want to update to the last available, stable version of `Netty` `4.1.59.Final`.
`ChannelPromise` and `ChannelFuture` were replaced with `DefaultPromise` and `Future` according. It was done in response to changes in https://github.com/netty/netty/commit/1740f366eb728ea5a0a63d18e9042161673414cd . `ChannelPromise` and `ChannelFuture` are wrong used and netty's changes are predict it.
Other one breaking `Netty` change is https://github.com/netty/netty/commit/39cc7a673939dec96258ff27f5b1874671838af0 . In Drill we have `ByteBuffAlocater` which doesn't support heap buffers. But in the netty's commit was changed internal behavior in `SslHandler`. Previously, regardless to chosen ssl engine, were using only `directBuffer()` or `buffer()`, which in our case both lid to the same - `directBuffer`. But now, behavior was changed and for JDK ssl engine is always used `heapBuffer()` which is not supported in Drill. So, I'm not sure, how to resolve this issue. In this PR I propose to use `directBuffer()` under `heapBuffer()`, but it is not the best solution. Maybe, someone from Drill community know a better solution?
## Documentation
No user visible changes
## Testing
Unit tests
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> Build Drill with Netty version 4.1.50.Final
> -------------------------------------------
>
> Key: DRILL-7790
> URL: https://issues.apache.org/jira/browse/DRILL-7790
> Project: Apache Drill
> Issue Type: Bug
> Affects Versions: 1.17.0
> Reporter: alka kumari
> Priority: Major
>
> Hi,
>
> In apache Drill Client 1.17, Netty version 4.0.48.Final is being used and it suffers from vulnerability (CVE-2019-16869):
> https://www.cvedetails.com/cve/CVE-2019-16869/
> https://snyk.io/vuln/maven:io.netty%3Anetty-all
>
> This has been fixed in the latest netty (4.1.50.Final).
>
> We want to build a drill with the latest Netty version that is free from any vulnerabilities.
>
> As there are many breaking changes from 4.0.48 to 4.1.50, I have modified the code accordingly.
>
> I noticed that after trying to upgrade the dependency, I was unable to connect with SSL enabled.
>
> ERROR:
> Connecting to the server timed out. This is sometimes due to a mismatch in the SSL configuration between client and server. [ Exception: Waited 10000 milliseconds for org.apache.drill.shaded.guava.com.google.common.util.concurrent.SettableFuture@6ea2bc93[status=PENDING]].
>
>
> I have created a pull request containing the changes which I have tried to make.
>
> Could someone please advise further on what needs to be changed?
>
> Regards,
> Alka
--
This message was sent by Atlassian Jira
(v8.3.4#803005)