zookeeper
zookeeper copied to clipboard
apache
ZOOKEEPER-4532: Bump jetty to 9.4.46.v20220331(avoids CVE-2022-22965)
This PR is related to which jira? Please mention the jira number in the PR title.
This PR is related to which jira? Please mention the jira number in the PR title.
@arshadmohammad done
@fu-turer How CVE-2022-2296 is related to jetty, can you pls provide some information. If this CVE is applicable to used jetty version 9.4.43.v20210629, any idea why dependency-check:check is not failing ?
@fu-turer How CVE-2022-2296 is related to jetty, can you pls provide some information. If this CVE is applicable to used jetty version 9.4.43.v20210629, any idea why dependency-check:check is not failing ?
@arshadmohammad sorry,it should be CVE-2022-22965
sorry,it should be CVE-2022-22965
actually CVE-2022-22965 is about Spring (and we don't use Spring in ZooKeeper). I think the CVE you are looking for is CVE-2022-24823. At lease when I run the CVE check on the current master branch, this is the only CVE it finds and it is indeed fixed with netty update.
I'll update the title accordingly
this is the only CVE it finds and it is indeed fixed with netty update.
hmm... but this PR is about jetty, not netty. So why do we want to upgrade jetty? Maybe I misunderstand something... @fu-turer , why do you think this CVE-2022-22965 is affecting ZooKeeper and how this is related to Jetty?
On the other hand we don't necessarily need a CVE to upgrade jetty I think. I just want to understand the reasoning.
Will this get merged? I see ZOOKEEPER-4599 reported also for CVE-2022-2048 on the current Jetty version.
Thank you @edwin092 , CVE-2022-2048 indeed looks scary and it does affect ZooKeeper. Unfortunately we need at least jetty 9.4.47 to fix it, so this PR in its current form is not enough.
@fu-turer - can you update your PR to go up to Jetty 9.4.47? Then I can merge it to all active branches. Or if you have no time for it, then I can submit an other PR for ZOOKEEPER-4599 Thank you!!