Skip to content

[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 #23596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nodece merged 1 commit into from
Nov 13, 2024
Merged

[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 #23596

nodece merged 1 commit into from
Nov 13, 2024
+55 −55

Conversation

@lhotari
Copy link
Member

@lhotari lhotari commented Nov 13, 2024

Motivation

Upgrade to Netty 4.1.115.Final to address CVE-2024-47535. This DoS vulnerability doesn't practically apply to Pulsar since the vulnerability requires write access to the filesystem where the application using Netty is running. However, it's always useful to address CVEs by upgrading to a version that doesn't contain known vulnerabilities.

Modifications

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari self-assigned this Nov 13, 2024
@lhotari lhotari added this to the 4.1.0 milestone Nov 13, 2024
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Nov 13, 2024
@lhotari lhotari mentioned this pull request Nov 13, 2024
Closed
dao-jun
dao-jun approved these changes Nov 13, 2024
View reviewed changes
Copy link
Member

@dao-jun dao-jun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gergelyfabian gergelyfabian mentioned this pull request Nov 13, 2024
Closed
3 tasks
@nodece nodece merged commit 04c80f1 into apache:master Nov 13, 2024
@gergelyfabian
Copy link

gergelyfabian commented Nov 13, 2024

Thank you for fixing this!

@gergelyfabian
Copy link

gergelyfabian commented Nov 13, 2024

Will there be a backported fix for the 3.* release line or only 4.*?

lhotari added a commit that referenced this pull request Nov 13, 2024
@lhotari
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (#…
73b7c4d 
…23596)

(cherry picked from commit 04c80f1)
lhotari added a commit that referenced this pull request Nov 13, 2024
@lhotari
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (#…
a436872 
…23596)

(cherry picked from commit 04c80f1)
lhotari added a commit that referenced this pull request Nov 13, 2024
@lhotari
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (#…
db32c56 
…23596)

(cherry picked from commit 04c80f1)
@lhotari
Copy link
Member Author

lhotari commented Nov 13, 2024

Will there be a backported fix for the 3.* release line or only 4.*?

@gergelyfabian Yes. The changes in this PR have been cherry-picked to branch-3.0, branch-3.3 and branch-4.0.

@gergelyfabian
Copy link

gergelyfabian commented Nov 13, 2024

Will there be a backported fix for the 3.* release line or only 4.*?

@gergelyfabian Yes. The changes in this PR have been cherry-picked to branch-3.0, branch-3.3 and branch-4.0.

Thank you, very useful.

nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 20, 2024
@lhotari @nikhil-ctds
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (a…
b935c82 
…pache#23596)

(cherry picked from commit 04c80f1)
(cherry picked from commit 73b7c4d)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 21, 2024
@lhotari @srinath-ctds
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (a…
ac6c19f 
…pache#23596)

(cherry picked from commit 04c80f1)
(cherry picked from commit 73b7c4d)
hanmz pushed a commit to hanmz/pulsar that referenced this pull request Feb 12, 2025
@lhotari @hanmz
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (a…
3b44167 
…pache#23596)
nodece pushed a commit to nodece/pulsar that referenced this pull request Jun 3, 2025
@lhotari @nodece
[fix][sec] Upgrade to Netty 4.1.115.Final to address CVE-2024-47535 (a…
8d82a10 
…pache#23596)

(cherry picked from commit 04c80f1)
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nodece nodece nodece approved these changes

@dao-jun dao-jun dao-jun approved these changes

@merlimat merlimat Awaiting requested review from merlimat

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

@heesung-sohn heesung-sohn Awaiting requested review from heesung-sohn

Assignees

@lhotari lhotari

Labels

area/security cherry-picked/branch-3.0 cherry-picked/branch-3.3 cherry-picked/branch-4.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.8 release/3.3.3 release/4.0.1

Projects

None yet

Milestone

4.1.0

Development

Successfully merging this pull request may close these issues.

4 participants

@lhotari @gergelyfabian @nodece @dao-jun