Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 #23596

Merged
merged 1 commit into from
Nov 13, 2024
Merged

[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 #23596

merged 1 commit into from
Nov 13, 2024

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Nov 13, 2024

Motivation

Upgrade to Netty 4.1.115.Final to address CVE-2024-47535. This DoS vulnerability doesn't practically apply to Pulsar since the vulnerability requires write access to the filesystem where the application using Netty is running. However, it's always useful to address CVEs by upgrading to a version that doesn't contain known vulnerabilities.

Modifications

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari self-assigned this Nov 13, 2024
@lhotari lhotari added this to the 4.1.0 milestone Nov 13, 2024
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Nov 13, 2024
@lhotari lhotari mentioned this pull request Nov 13, 2024
Closed
dao-jun
dao-jun approved these changes Nov 13, 2024
View reviewed changes
Copy link
Member

@dao-jun dao-jun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gergelyfabian gergelyfabian mentioned this pull request Nov 13, 2024
Closed
3 tasks
@nodece nodece merged commit 04c80f1 into apache:master Nov 13, 2024
49 of 57 checks passed
@gergelyfabian
Copy link

Thank you for fixing this!

@gergelyfabian
Copy link

Will there be a backported fix for the 3.* release line or only 4.*?

lhotari added a commit that referenced this pull request Nov 13, 2024
@lhotari
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (#…
73b7c4d 
…23596)

(cherry picked from commit 04c80f1)
lhotari added a commit that referenced this pull request Nov 13, 2024
@lhotari
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (#…
a436872 
…23596)

(cherry picked from commit 04c80f1)
lhotari added a commit that referenced this pull request Nov 13, 2024
@lhotari
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (#…
db32c56 
…23596)

(cherry picked from commit 04c80f1)
@lhotari
Copy link
Member Author

lhotari commented Nov 13, 2024

Will there be a backported fix for the 3.* release line or only 4.*?

@gergelyfabian Yes. The changes in this PR have been cherry-picked to branch-3.0, branch-3.3 and branch-4.0.

@gergelyfabian
Copy link

Will there be a backported fix for the 3.* release line or only 4.*?

@gergelyfabian Yes. The changes in this PR have been cherry-picked to branch-3.0, branch-3.3 and branch-4.0.

Thank you, very useful.

nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 20, 2024
@lhotari @nikhil-ctds
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (a…
b935c82 
…pache#23596)

(cherry picked from commit 04c80f1)
(cherry picked from commit 73b7c4d)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 21, 2024
@lhotari @srinath-ctds
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (a…
ac6c19f 
…pache#23596)

(cherry picked from commit 04c80f1)
(cherry picked from commit 73b7c4d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dao-jun dao-jun dao-jun approved these changes

@nodece nodece nodece approved these changes

@merlimat merlimat Awaiting requested review from merlimat

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

@heesung-sn heesung-sn Awaiting requested review from heesung-sn

Assignees

@lhotari lhotari

Labels
area/security cherry-picked/branch-3.0 cherry-picked/branch-3.3 cherry-picked/branch-4.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.8 release/3.3.3 release/4.0.1
Projects
None yet
Milestone
4.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@lhotari @gergelyfabian @nodece @dao-jun