Uploaded image for project: 'Flume'
  1. Flume
  2. FLUME-3363

CVE-2019-20445

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: 1.9.0
    • Fix Version/s: 2.0.0
    • Component/s: Channel

      Description

      flume-ng-core-1.9.0 requires the Netty component, and the required version is as follows:
      <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty</artifactId>
      <version>3.10.6.Final</version>
      </dependency>
      I think we should upgrade Netty to its latest version: netty-4.1.45.Final. The reasons are as follows:
      The CVE-2019-20445 vulnerability exists in netty-3.10.6.Final: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. For details see: https://nvd.nist.gov/vuln/detail/CVE-2019-20445
       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                dlzp dlzp
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: