Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade netty from 4.1.73.Final to 4.1.78.Final #3772

Merged
merged 1 commit into from
Jul 5, 2022
Merged

Upgrade netty from 4.1.73.Final to 4.1.78.Final #3772

merged 1 commit into from
Jul 5, 2022

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Jul 5, 2022

Signed-off-by: Craig Perkins cwperx@amazon.com

Description

First PR! 🥇 This upgrades Netty to address a CVE in 4.1.73. This resolves 1831

Issues Resolved

Check List

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwperks cwperks requested review from a team and reta as code owners July 5, 2022 15:35
@cwperks cwperks mentioned this pull request Jul 5, 2022
Merged
3 tasks
@reta
Copy link
Collaborator

reta commented Jul 5, 2022

I am curios why @dependabot didn't do that ...

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

cwperks
cwperks commented Jul 5, 2022
View reviewed changes
modules/transport-netty4/src/javaRestTest/java/org/opensearch/rest/Netty4BadRequestIT.java
@@ -86,7 +86,7 @@ public void testBadRequest() throws IOException {
() -> client().performRequest(new Request(randomFrom("GET", "POST", "PUT"), path))
);
assertThat(e.getResponse().getStatusLine().getStatusCode(), equalTo(BAD_REQUEST.getStatus()));
assertThat(e, hasToString(containsString("too_long_frame_exception")));
assertThat(e, hasToString(containsString("too_long_http_line_exception")));
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This message changed from 4.1.74.Final -> 4.1.75.Final.

Details here: netty/netty@3ba2eed#diff-864e434ddf7f115156d8497898df1bb48240c9d488d6652b52c437bf9c91fb96

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@cwperks cwperks mentioned this pull request Jul 5, 2022
Closed
5 tasks
@cwperks cwperks changed the title Upgrade netty from 4.1.73.Final to 4.1.77.Final Upgrade netty from 4.1.73.Final to 4.1.78.Final Jul 5, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@cwperks
Upgrade netty from 4.1.73.Final to 4.1.78.Final
7e248b4 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@reta reta added the backport 2.x Backport to 2.x branch label Jul 5, 2022
@saratvemulapalli saratvemulapalli added v3.0.0 Issues and PRs related to version 3.0.0 v2.2.0 >upgrade Label used when upgrading library dependencies (e.g., Lucene) dependencies Pull requests that update a dependency file labels Jul 5, 2022
@saratvemulapalli
Copy link
Member

I am curios why @dependabot didn't do that ...

hm.. may be @VachaShah might know about it.

@saratvemulapalli saratvemulapalli merged commit 5c531bb into opensearch-project:main Jul 5, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 5, 2022
@cwperks @github-actions
Upgrade netty from 4.1.73.Final to 4.1.78.Final (#3772)
3d352fe 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit 5c531bb)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jul 5, 2022
Merged
@VachaShah
Copy link
Collaborator

I am curios why @dependabot didn't do that ...

hm.. may be @VachaShah might know about it.

I think Dependabot is not able to scan version.properties file.

@reta
Copy link
Collaborator

reta commented Jul 5, 2022

I am curios why @dependabot didn't do that ...

hm.. may be @VachaShah might know about it.

I think Dependabot is not able to scan version.properties file.

Thanks @VachaShah

@saratvemulapalli saratvemulapalli mentioned this pull request Jul 5, 2022
Open
@saratvemulapalli
Copy link
Member

@VachaShah @reta I've opened up an issue #3782.
I have no idea if it can be done, feel free to chime if you have ideas to make it happen.

saratvemulapalli pushed a commit that referenced this pull request Jul 5, 2022
@opensearch-trigger-bot @cwperks
Upgrade netty from 4.1.73.Final to 4.1.78.Final (#3772) (#3778)
21ee3c5 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit 5c531bb)

Co-authored-by: Craig Perkins <craig5008@gmail.com>
@mch2 mch2 added backport 1.x backport 1.3 Backport to 1.3 branch labels Jul 6, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 6, 2022
@cwperks @github-actions
Upgrade netty from 4.1.73.Final to 4.1.78.Final (#3772)
f00b428 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit 5c531bb)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jul 6, 2022
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 6, 2022
@cwperks @github-actions
Upgrade netty from 4.1.73.Final to 4.1.78.Final (#3772)
930e19b 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit 5c531bb)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jul 6, 2022
Merged
mch2 pushed a commit that referenced this pull request Jul 7, 2022
@opensearch-trigger-bot
Upgrade netty from 4.1.73.Final to 4.1.78.Final (#3772) (#3788)
f59f100
mch2 pushed a commit that referenced this pull request Jul 7, 2022
@opensearch-trigger-bot @cwperks
Upgrade netty from 4.1.73.Final to 4.1.78.Final (#3772) (#3789)
a074cec 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit 5c531bb)

Co-authored-by: Craig Perkins <craig5008@gmail.com>
@cliu123 cliu123 mentioned this pull request Jul 11, 2022
Merged
1 task
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 11, 2022
@cwperks @github-actions
Upgrade netty from 4.1.73.Final to 4.1.78.Final (#3772)
340a56d 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit 5c531bb)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jul 11, 2022
Merged
reta pushed a commit that referenced this pull request Jul 12, 2022
@opensearch-trigger-bot @cwperks
Upgrade netty from 4.1.73.Final to 4.1.78.Final (#3772) (#3855)
4d0fdd4 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit 5c531bb)

Co-authored-by: Craig Perkins <craig5008@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta approved these changes

@saratvemulapalli saratvemulapalli saratvemulapalli approved these changes

Assignees
No one assigned
Labels
backport 1.x backport 1.3 Backport to 1.3 branch backport 2.x Backport to 2.x branch backport 2.1 dependencies Pull requests that update a dependency file >upgrade Label used when upgrading library dependencies (e.g., Lucene) v2.2.0 v3.0.0 Issues and PRs related to version 3.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2022-24823 (Medium) detected in netty-common-4.1.73.Final.jar
5 participants
@cwperks @reta @saratvemulapalli @VachaShah @mch2