Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-4644

Update 3rd party library versions before release 3.6.4

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.6.3
    • 3.6.4
    • None

    Description

      The last 3.6 release happened long time ago and before releasing 3.6.4, we need to make sure that no 3rd party libraries has any CVE issues. I run CVE checks and compared the 3pp library versions between the active branches and plan to update some libraries.

       

      mvn clean package -DskipTests dependency-check:check

(...)

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project zookeeper: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': 
[ERROR] 
[ERROR] commons-cli-1.2.jar: CVE-2021-37533(6.5)
[ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), CVE-2022-42004(7.5)
[ERROR] jetty-io-9.4.43.v20210629.jar: CVE-2022-2047(2.7), CVE-2022-2048(7.5)
[ERROR] jetty-server-9.4.43.v20210629.jar: CVE-2022-2047(2.7), CVE-2022-2048(7.5)
[ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-24823(5.5)

      beside these we might need to update some maven plugins.

       

      Attachments

        Issue Links

        is blocked by

        Task - A task that needs to be done. ZOOKEEPER-4645 Backport ZOOKEEPER-3941 (commons-cli upgrade) to branch-3.6

        • Major - Major loss of function.
        • Resolved

        Task - A task that needs to be done. ZOOKEEPER-4627 High CVE-2022-2048 in jetty-*-9.4.46.v20220331.jar fixed in 9.4.47

        • Critical - Crashes, loss of data, severe memory leak.
        • Closed
        links to

        Web Link GitHub Pull Request #1956

        Web Link GitHub Pull Request #1957

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            symat Mate Szalay-Beko
            symat Mate Szalay-Beko
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 40m
                1h 40m

                Slack

                  Issue deployment