Skip to content

/ zookeeper

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 #1552

Closed
wants to merge 1 commit into from
Closed

ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 #1552

wants to merge 1 commit into from

Conversation

@ztzg
Copy link
Contributor

@ztzg ztzg commented Dec 5, 2020

Bump jetty.version to 9.4.35.v20201120.

The release notes
mention issue 5605:

java.io.IOException: unconsumed input during http request parsing

which seems to match the description of
CVE-2020-27218
@ztzg
ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v202011…
Loading status checks…
02df57d 
…02 - CVE-2020-27218

Bump jetty.version to 9.4.35.v20201120.

The [release notes](https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.35.v20201120)
mention [issues 5605](eclipse/jetty.project#5605):

> java.io.IOException: unconsumed input during http request parsing

which seems to match the description of
[CVE-2020-27218](http://cve.circl.lu/cve/CVE-2020-27218)
@ztzg ztzg requested review from phunt, anmolnar, eolivelli and nkalmar Dec 5, 2020
@eolivelli
eolivelli approved these changes Dec 5, 2020
View changes
Copy link
Contributor

@eolivelli eolivelli left a comment

LGTM

Can you please create a patch for branch-3.5?
It does not use jetty-client
@phunt
phunt reviewed Dec 5, 2020
View changes
Copy link
Contributor

@phunt phunt left a comment

lgtm - one minor nit we can also address at the same time? (see comment) thanks!
zookeeper-server/src/main/resources/lib/jetty-client-9.4.35.v20201120.LICENSE.txt
https://www.eclipse.org/org/documents/epl-1.0/EPL-1.0.txt
or the Apache Software License 2.0 which is available at
https://www.apache.org/licenses/LICENSE-2.0
terms of the Eclipse Public License 2.0 which is available at

This comment has been minimized.

Sign in to view
@phunt

phunt Dec 5, 2020
Contributor

It looks like jetty-client is no longer used - perhaps you can remove as part of this commit?

You can double check - take a look at the binary artifact, this jar is not included. thx.

This comment has been minimized.

Sign in to view
@ztzg

ztzg Dec 5, 2020
Author Contributor

@phunt: This patch is for master, which still pulls jetty-client; I have noted that it should not be included in branch-3.5.

@eolivelli: Yes, will do so. And branch-3.6, too, as it does not cherry-pick clean.

This comment has been minimized.

Sign in to view
@ztzg

ztzg Dec 7, 2020
Author Contributor

(@phunt: In case you were suggesting to remove jetty-client from the POM in master, that would break ZOOKEEPER-3948: Introduce a deterministic runtime behavior injection framework for ZooKeeperServer testing.)
@ztzg
Copy link
Contributor Author

@ztzg ztzg commented Dec 5, 2020

And here are the sister PRs:
@ztzg ztzg mentioned this pull request Dec 6, 2020
Closed
@nkalmar
nkalmar approved these changes Dec 7, 2020
View changes
Copy link
Contributor

@nkalmar nkalmar left a comment

LGTM
@nkalmar
Copy link
Contributor

@nkalmar nkalmar commented Dec 7, 2020

@phunt can you please take another look? On 3.5, Damien removed the client license file:
#1554
We can merge all 3 PRs once everything is all cleared up, and move forward with the 3.5.9 release. (3.5 branch's PR is all good, but I don't want to merge it before master)
@nkalmar
Copy link
Contributor

@nkalmar nkalmar commented Dec 11, 2020

Looks like some jenkins issue:
autoreconf: cannot create /tmp/user/910/ar8984.26381: No such file or directory
@phunt
Copy link
Contributor

@phunt phunt commented Dec 15, 2020

sg - +1 Thanks!
@ztzg
Copy link
Contributor Author

@ztzg ztzg commented Dec 24, 2020

And here are the sister PRs:

I think we have enough approvals, and have had enough time to ponder the changes in these three PRs :)

Should I just merge them? @eolivelli, WDYT?
@eolivelli
Copy link
Contributor

@eolivelli eolivelli commented Dec 24, 2020

Yes go head please
@ztzg ztzg closed this in 59c8741 Dec 24, 2020
@ztzg
Copy link
Contributor Author

@ztzg ztzg commented Dec 24, 2020

Merged in master.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phunt phunt

@nkalmar nkalmar

@eolivelli eolivelli

@anmolnar anmolnar

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
@ztzg @nkalmar @phunt @eolivelli
You can’t perform that action at this time.