[ZOOKEEPER-2450] Upgrade Netty version due to security vulnerability (CVE-2014-3488) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.4.8, 3.5.1, 3.6.0
Fix Version/s: 3.4.9, 3.5.2, 3.6.0
Component/s: security, server
Labels:
None

Description

This JIRA recreates ZOOKEEPER-2432 which was deleted as the collateral damage during the spamming fighting effort Apache Infrastructure Team did weeks ago. Recreate the JIRA for the record so external documentations can link back to this JIRA.

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message [1]. We are using netty 3.7.x in ZK for 3.4/3.5/3.6, which is affected by this vulnerability.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3488
[2] http://netty.io/news/

Attachments

Activity

People

Assignee:: Michael Han

Reporter:: Michael Han

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 22/Jun/16 21:11

Updated:: 21/Jul/16 20:18

Resolved:: 22/Jun/16 21:12