[
https://issues.apache.org/jira/browse/ZOOKEEPER-4649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17646985#comment-17646985
]
Mate Szalay-Beko commented on ZOOKEEPER-4649:
---------------------------------------------
Thanks [~hyperxpro] for checking! I agree, it most likely doesn't affect us. On
the other hand, security scanners used by companies will not know about this
and will report this CVE. And explaining everyone why it doesn't affect us is a
headache. Especially now that we plan to release 3.6.4, best to release with
the latest netty I think.
(also if we want to ignore this CVE for our dependency checks, that would also
require a small commit on all branches anyway... with the same effort we can
even upgrade)
> Upgrade netty to 4.1.86 because of CVE-2022-41915
> -------------------------------------------------
>
> Key: ZOOKEEPER-4649
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4649
> Project: ZooKeeper
> Issue Type: Task
> Reporter: Mate Szalay-Beko
> Assignee: Mate Szalay-Beko
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Yesterday a new netty version was released fixing [CVE-2022-41915|
> [https://nvd.nist.gov/vuln/detail/CVE-2022-41915].] We need to upgrade the
> netty version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
