Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin netty_codec to higher version to address vulnerability #2924

Merged
merged 1 commit into from
Sep 18, 2024
Merged

Pin netty_codec to higher version to address vulnerability #2924

merged 1 commit into from
Sep 18, 2024

Conversation

zpinto
Copy link
Contributor

@zpinto zpinto commented Sep 17, 2024

Issues

  • Pin netty_codec to higher version to address vulnerability

Description

Fix vulnerability:

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).


All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Tests

NA

Changes that Break Backward Compatibility (Optional)

NA

Documentation (Optional)

NA

Commits

  • My commits all reference appropriate Apache Helix GitHub issues in their subject lines. In addition, my commits follow the guidelines from "How to write a good git commit message":
    1. Subject is separated from body by a blank line
    2. Subject is limited to 50 characters (not including Jira issue reference)
    3. Subject does not end with a period
    4. Subject uses the imperative mood ("add", not "adding")
    5. Body wraps at 72 characters
    6. Body explains "what" and "why", not "how"

Code Quality

  • My diff has been formatted using helix-style.xml
    (helix-style-intellij.xml if IntelliJ IDE is used)

@zpinto
Copy link
Contributor Author

zpinto commented Sep 18, 2024

Was not able to reproduce issue with the failed test in CI. Likely flaky.

Locally ran 5 times:

➜  helix git:(zpinto/pin_netty_codec) ./scripts/runSingleTest.sh TestAutoRebalanceStrategy#simpleMasterSlaveTest 5
Running test on TestAutoRebalanceStrategy#simpleMasterSlaveTest in component helix-core for 5 times.
======================================================================
Attempt 1 TestAutoRebalanceStrategy#simpleMasterSlaveTest
======================================================================
======================================================================
Attempt 2 TestAutoRebalanceStrategy#simpleMasterSlaveTest
======================================================================
======================================================================
Attempt 3 TestAutoRebalanceStrategy#simpleMasterSlaveTest
======================================================================
======================================================================
Attempt 4 TestAutoRebalanceStrategy#simpleMasterSlaveTest
======================================================================
======================================================================
Attempt 5 TestAutoRebalanceStrategy#simpleMasterSlaveTest
======================================================================

This PR is ready to be merged.

Final commit message:
Pin netty-codec to higher version to address security vulnerability.

@xyuanlu xyuanlu merged commit 5ded480 into apache:master Sep 18, 2024
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xyuanlu xyuanlu xyuanlu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zpinto @xyuanlu