Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 3.0.0
    • None
    • James Core
    • None

    Description

      James is currently using the netty dependency
      <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty</artifactId>
      <version>3.10.6.Final</version>
      </dependency>
      I think we should upgrade to the newer artifact
      <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty-all</artifactId>
      <version>4.1.16.Final</version>
      </dependency>

      Attachments

        1. dependency-check-report.html
          663 kB
          Jan Busch

        Activity

          Netty 4 is not API compatible with Netty 3 so we have to port James code, it's not just a dependency update.

          matthieu Matthieu Baechler added a comment - Netty 4 is not API compatible with Netty 3 so we have to port James code, it's not just a dependency update.
          j.busch Jan Busch added a comment -

          I think an upgrade would still be great since the latest Netty 3 version has some security flaws that are fixed in newer versions of Netty 4, see the attached file dependency-check-report.html

          This can make it problematic to use James in contexts with potentially sensitive software or users.

          j.busch Jan Busch added a comment - I think an upgrade would still be great since the latest Netty 3 version has some security flaws that are fixed in newer versions of Netty 4, see the attached file dependency-check-report.html This can make it problematic to use James in contexts with potentially sensitive software or users.

          I read the report and the 4 vulnerabilities are related to HTTP.
          We don't use netty 3 for HTTP so we are safe.

          Still, if you want to contribute the upgrade to Netty 4, we can offer some help.

          matthieu Matthieu Baechler added a comment - I read the report and the 4 vulnerabilities are related to HTTP. We don't use netty 3 for HTTP so we are safe. Still, if you want to contribute the upgrade to Netty 4, we can offer some help.
          j.busch Jan Busch added a comment -

          Oh, yea, you are right, could have realized that myself. Thanks for pointing that out!

          Will have to see when and whether I will have time to contribute to Netty 4 upgrade anyway. If so, I will surely get back to you to make sure I will be doing it right.

          j.busch Jan Busch added a comment - Oh, yea, you are right, could have realized that myself. Thanks for pointing that out! Will have to see when and whether I will have time to contribute to Netty 4 upgrade anyway. If so, I will surely get back to you to make sure I will be doing it right.
          ramahmoo Rashid Mahmood added a comment - - edited

          Is there any progress on upgrade to Netty 4?

          NOTE at Netty website "As stated this will be our last 3.x release. 3.x is considered EOL, please consider upgrading if you still use any 3.x release."

          https://netty.io/news/2016/06/29/3-10-6-Final.html

           

          There are a lot of performance and memory leak fixes in Netty 4, i am not sure all those were also patched in 3.x. 

          We have performance requirements per Mail-Server instance like Higher Number of TLS connections/sec. With current James version(3.4.0) at localhost, we see 30 TLS connections per second with CPU all cores 100%.  First profiling showed CPU was occupied by Netty.

           

          ramahmoo Rashid Mahmood added a comment - - edited Is there any progress on upgrade to Netty 4? NOTE at Netty website "As stated this will be our last 3.x release. 3.x is considered EOL, please consider upgrading if you still use any 3.x release." https://netty.io/news/2016/06/29/3-10-6-Final.html   There are a lot of performance and memory leak fixes in Netty 4, i am not sure all those were also patched in 3.x.  We have performance requirements per Mail-Server instance like Higher Number of TLS connections/sec. With current James version(3.4.0) at localhost, we see 30 TLS connections per second with CPU all cores 100%.  First profiling showed CPU was occupied by Netty.  

          > Is there any progress on upgrade to Netty 4?

          No as far as I know. Feel free to takeover that topic.

          matthieu Matthieu Baechler added a comment - > Is there any progress on upgrade to Netty 4? No as far as I know. Feel free to takeover that topic.
          btellier Benoit Tellier added a comment - See JAMES-3715

          People

            Unassigned Unassigned
            randymo Randymo
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: