Skip to content

HADOOP-19878. Upgrade to Netty 4.1.133.Final due to CVEs#8469

Merged
pan3793 merged 1 commit into
apache:trunkfrom
pjfanning:HADOOP-19878-netty
May 8, 2026
Merged

HADOOP-19878. Upgrade to Netty 4.1.133.Final due to CVEs#8469
pan3793 merged 1 commit into
apache:trunkfrom
pjfanning:HADOOP-19878-netty

Conversation

@pjfanning
Copy link
Copy Markdown
Member

@pjfanning pjfanning commented May 5, 2026

Description of PR

https://issues.apache.org/jira/browse/HADOOP-19878

How was this patch tested?

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

AI Tooling

If an AI tool was used:

steveloughran
steveloughran approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@steveloughran steveloughran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 pending the build.

@pjfanning we really an upgrade marathon don't we, where everything which can be upgraded is (trunk, and 3.5) and anything which still works on java8 is done for the 3.4 branch. Then we can think of new releases

ajfabbri
ajfabbri approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ajfabbri ajfabbri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 pending jenkins/pr-merge CI passing. We can ignore the PR update / Build (pull_request_target) — Workflow run detection failed check for now: We are adding new github actions-based CI which requires enabling actions in your forked repo to get past that error, but it is not a requirement yet.

pan3793
pan3793 reviewed May 6, 2026
View reviewed changes
Comment thread LICENSE-binary
io.netty:netty-codec-http2:4.1.133.Final
io.netty:netty-codec-memcache:4.1.133.Final
io.netty:netty-codec-mqtt:4.1.133.Final
io.netty:netty-codec-redis:4.1.133.Final
Copy link
Copy Markdown
Member

@pan3793 pan3793 May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are all those netty libs used by hadoop? I don't think hadoop requires netty-codec-redis ...

Copy link
Copy Markdown
Member Author

@pjfanning pjfanning May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it feels like there is a separate task to revisit the entire LICENSE-binary file - I guarantee that this is not the only is it/isn't it correct line in the file

@pan3793
Copy link
Copy Markdown
Member

pan3793 commented May 8, 2026

@pjfanning could you follow the instructions to ensure GHA on your forked repo?

https://github.com/apache/hadoop/pull/8469/checks?check_run_id=74443729055

@pjfanning pjfanning force-pushed the HADOOP-19878-netty branch from adb3358 to b3f0d8a Compare May 8, 2026 09:01
@pan3793
Copy link
Copy Markdown
Member

pan3793 commented May 8, 2026
edited
Loading

@steveloughran do we want to land this in branch-3.4? HADOOP-19788 upgraded Netty from 4.1.127.Final to 4.1.130.Final, which does not land branch-3.4, we need both or neither.

@pan3793 pan3793 changed the title HADOOP-19878. Upgrade to Netty 4.1.113.Final due to CVEs HADOOP-19878. Upgrade to Netty 4.1.133.Final due to CVEs May 8, 2026
@pan3793 pan3793 merged commit 07fe052 into apache:trunk May 8, 2026
2 of 4 checks passed
pan3793 pushed a commit that referenced this pull request May 8, 2026
@pjfanning @pan3793
HADOOP-19878. Upgrade to Netty 4.1.113.Final due to CVEs (#8469)
8a28fc4 
Reviewed-by: Steve Loughran <stevel@cloudera.com>
Reviewed-by: Aaron Fabbri <fabbri@apache.org>
Signed-off-by: Cheng Pan <chengpan@apache.org>
@pjfanning pjfanning deleted the HADOOP-19878-netty branch May 8, 2026 09:37
@pan3793
Copy link
Copy Markdown
Member

pan3793 commented May 8, 2026

merged to trunk/branch-3.5 for now. branch-3.4 backport requires making a decision first.

@steveloughran
Copy link
Copy Markdown
Contributor

steveloughran commented May 8, 2026

i don't see any specific reason for holding back the 3.4 update, so go with it

pan3793 pushed a commit that referenced this pull request May 8, 2026
@pjfanning @pan3793
HADOOP-19878. Upgrade to Netty 4.1.113.Final due to CVEs (#8469)
ff66216 
Reviewed-by: Steve Loughran <stevel@cloudera.com>
Reviewed-by: Aaron Fabbri <fabbri@apache.org>
Signed-off-by: Cheng Pan <chengpan@apache.org>
@pan3793
Copy link
Copy Markdown
Member

pan3793 commented May 8, 2026

backported to branch-3.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pan3793 pan3793 pan3793 left review comments

@steveloughran steveloughran steveloughran approved these changes

@ajfabbri ajfabbri ajfabbri approved these changes

Assignees

No one assigned

Labels

build trunk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pjfanning @pan3793 @steveloughran @ajfabbri