druid icon indicating copy to clipboard operation
druid copied to clipboard
verified publisher icon apache

Deprecate Netty3 in Druid

Open AnmolSun opened this issue 1 year ago • 2 comments

Description

Druid still depends on Netty3 which has vulnerabilities, such as CVE-2023-44487. Certain downstream applications such as Hive are unable to completely remove the netty3 dependencies due to being dependent on druid. Please ref HIVE-25013. Druid should remove its dependency on Netty3.

AnmolSun avatar Jan 10 '24 05:01 AnmolSun

It would help to have some clarification from the project maintainers what the plan is for netty3 since the included 3.10.6 is no longer maintained by the netty developers and was last updated in 2016. Netty4 seems to have been added to the build several major releases ago, but it still seems that netty3 is required.

There was a PR a couple years ago that seemed to be intended to migrate off netty3 entirely, but was auto-closed https://github.com/apache/druid/pull/14479

Is there any roadmap items to remove netty3 from druid?

dpippenger avatar Mar 20 '24 17:03 dpippenger

Yes we wanna remove netty3 from druid. Feel free to pick this item up and the maintainers can help unblock.

cryptoe avatar Jun 12 '24 05:06 cryptoe

This issue has been marked as stale due to 280 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the [email protected] list. Thank you for your contributions.

github-actions[bot] avatar Mar 20 '25 00:03 github-actions[bot]

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.

github-actions[bot] avatar Apr 17 '25 00:04 github-actions[bot]