Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade netty from 4.1.73.Final to 4.1.78.Final #3772

Merged

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Jul 5, 2022

Signed-off-by: Craig Perkins [email protected]

Description

First PR! 🥇 This upgrades Netty to address a CVE in 4.1.73. This resolves 1831

Issues Resolved

Check List

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwperks cwperks requested review from a team and reta as code owners July 5, 2022 15:35
@reta
Copy link
Collaborator

reta commented Jul 5, 2022

I am curios why @dependabot didn't do that ...

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@cwperks cwperks force-pushed the update-netty-to-4.1.77 branch from a76875a to fc2982f Compare July 5, 2022 16:11
@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@@ -86,7 +86,7 @@ public void testBadRequest() throws IOException {
() -> client().performRequest(new Request(randomFrom("GET", "POST", "PUT"), path))
);
assertThat(e.getResponse().getStatusLine().getStatusCode(), equalTo(BAD_REQUEST.getStatus()));
assertThat(e, hasToString(containsString("too_long_frame_exception")));
assertThat(e, hasToString(containsString("too_long_http_line_exception")));
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This message changed from 4.1.74.Final -> 4.1.75.Final.

Details here: netty/netty@3ba2eed#diff-864e434ddf7f115156d8497898df1bb48240c9d488d6652b52c437bf9c91fb96

@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@cwperks cwperks mentioned this pull request Jul 5, 2022
5 tasks
@cwperks cwperks changed the title Upgrade netty from 4.1.73.Final to 4.1.77.Final Upgrade netty from 4.1.73.Final to 4.1.78.Final Jul 5, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@cwperks cwperks force-pushed the update-netty-to-4.1.77 branch from 1cbde87 to 7e248b4 Compare July 5, 2022 19:17
@github-actions
Copy link
Contributor

github-actions bot commented Jul 5, 2022

Gradle Check (Jenkins) Run Completed with:

@reta reta added the backport 2.x Backport to 2.x branch label Jul 5, 2022
@saratvemulapalli saratvemulapalli added v3.0.0 Issues and PRs related to version 3.0.0 v2.2.0 >upgrade Label used when upgrading library dependencies (e.g., Lucene) dependencies Pull requests that update a dependency file labels Jul 5, 2022
@saratvemulapalli
Copy link
Member

I am curios why @dependabot didn't do that ...

hm.. may be @VachaShah might know about it.

@saratvemulapalli saratvemulapalli merged commit 5c531bb into opensearch-project:main Jul 5, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 5, 2022
Signed-off-by: Craig Perkins <[email protected]>
(cherry picked from commit 5c531bb)
@VachaShah
Copy link
Collaborator

I am curios why @dependabot didn't do that ...

hm.. may be @VachaShah might know about it.

I think Dependabot is not able to scan version.properties file.

@reta
Copy link
Collaborator

reta commented Jul 5, 2022

I am curios why @dependabot didn't do that ...

hm.. may be @VachaShah might know about it.

I think Dependabot is not able to scan version.properties file.

Thanks @VachaShah

@saratvemulapalli
Copy link
Member

@VachaShah @reta I've opened up an issue #3782.
I have no idea if it can be done, feel free to chime if you have ideas to make it happen.

saratvemulapalli pushed a commit that referenced this pull request Jul 5, 2022
Signed-off-by: Craig Perkins <[email protected]>
(cherry picked from commit 5c531bb)

Co-authored-by: Craig Perkins <[email protected]>
@mch2 mch2 added backport 1.x backport 1.3 Backport to 1.3 branch labels Jul 6, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 6, 2022
Signed-off-by: Craig Perkins <[email protected]>
(cherry picked from commit 5c531bb)
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 6, 2022
Signed-off-by: Craig Perkins <[email protected]>
(cherry picked from commit 5c531bb)
mch2 pushed a commit that referenced this pull request Jul 7, 2022
Signed-off-by: Craig Perkins <[email protected]>
(cherry picked from commit 5c531bb)

Co-authored-by: Craig Perkins <[email protected]>
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 11, 2022
Signed-off-by: Craig Perkins <[email protected]>
(cherry picked from commit 5c531bb)
reta pushed a commit that referenced this pull request Jul 12, 2022
Signed-off-by: Craig Perkins <[email protected]>
(cherry picked from commit 5c531bb)

Co-authored-by: Craig Perkins <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.x backport 1.3 Backport to 1.3 branch backport 2.x Backport to 2.x branch backport 2.1 dependencies Pull requests that update a dependency file >upgrade Label used when upgrading library dependencies (e.g., Lucene) v2.2.0 v3.0.0 Issues and PRs related to version 3.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2022-24823 (Medium) detected in netty-common-4.1.73.Final.jar
5 participants