Uploaded image for project: 'Flume'
  1. Flume
  2. FLUME-3363

CVE-2019-20445

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 1.9.0
    • 1.10.0
    • Channel

    Description

      flume-ng-core-1.9.0 requires the Netty component, and the required version is as follows:
      <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty</artifactId>
      <version>3.10.6.Final</version>
      </dependency>
      I think we should upgrade Netty to its latest version: netty-4.1.45.Final. The reasons are as follows:
      The CVE-2019-20445 vulnerability exists in netty-3.10.6.Final: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. For details see: https://nvd.nist.gov/vuln/detail/CVE-2019-20445
       

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              dlzp dlzp
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: