Potential security vulnerability with Netty dependency

[Antti-Paladin]

Issue Type:

• Bug report
• Feature request

What happened:
There is a security vulnerability CVE-2020-11612 which concerns Netty 4.1.x before 4.1.46, and thus might affect Linkerd too (as of today the Netty version used seems to be 4.1.31 in master).

What you expected to happen:
It could be investigated if this causes a security vulnerability in Linkerd too. If so (and feasible), could update the Netty dependency to a version without the vulnerability.

Environment:

• linkerd version: 1.7.1, but I believe this manifests with all versions using Netty 4.1.x

[olix0r]

@Antti-Paladin Thanks for sharing this with us. We'll look into upgrading.

[cpretzer]

@Antti-Paladin Thanks for this report and for helping us to keep Linkerd awesome!

I've been testing an upgrade to Netty 4.1.47 and that has a dependency on Finagle 20.4.0 and its associated libraries.

I'm held up by a finagle issue at the moment and will update this ticket when the upgrade is unblocked.

[Antti-Paladin]

@cpretzer, sorry for personal ping but any news now that the finagle issue is resolved?

[cpretzer]

Hi @Antti-Paladin , thanks for reaching out.

I'm testing the upgrade as we speak and hope to have it wrapped up today.

[Antti-Paladin]

Awesome news @cpretzer, thank you! 💯

[cpretzer]

Thanks again @Antti-Paladin this is fixed in #2386