Skip to content

HIVE-29253:bump netty version to 4.1.127.Final due to CVE-2025-58057 … #6121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 16, 2025
Merged

HIVE-29253:bump netty version to 4.1.127.Final due to CVE-2025-58057 … #6121

merged 1 commit into from
Oct 16, 2025

Conversation

ramitg254
Copy link
Contributor

CVE-2025-58056

What changes were proposed in this pull request?

netty version upgrade to 4.1.127.Final to fix cves

Why are the changes needed?

current netty version is suffering from cves

Does this PR introduce any user-facing change?

No

How was this patch tested?

local build

@ramitg254
Copy link
Contributor Author

@deniskuzZ can you please review it

@InvisibleProgrammer
Copy link
Contributor

Netty 4.2.6.Final is the latest release. Could it worth to upgrade to that release?

@ramitg254
Copy link
Contributor Author

ramitg254 commented Oct 8, 2025
edited
Loading

Netty 4.2.6.Final is the latest release. Could it worth to upgrade to that release?

Hadoop trunk is also at netty 4.1.127 according to https://issues.apache.org/jira/browse/HADOOP-19689?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel.
So trying keep it in sync with that

deniskuzZ
deniskuzZ previously approved these changes Oct 8, 2025
View reviewed changes
Copy link
Member

@deniskuzZ deniskuzZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@Aggarwal-Raghav
Copy link
Contributor

I'm ok with the changes in current PR. I just want to hightlight that the following jars with older version are also getting shipped. It is irrespective of this PR.

netty-handler-4.1.105.Final.jar
netty-transport-native-epoll-4.1.105.Final.jar

@deniskuzZ
Copy link
Member

deniskuzZ commented Oct 8, 2025
edited
Loading

I'm ok with the changes in current PR. I just want to hightlight that the following jars with older version are also getting shipped. It is irrespective of this PR.

@Aggarwal-Raghav, thanks for validating this! In this case PR is not complete. @ramitg254 could you please make sure we don't bring multiple versions of netty dependencies

[INFO] +- org.apache.hadoop:hadoop-hdfs:jar:3.4.1:compile
[INFO] |  +- io.netty:netty-all:jar:4.1.100.Final:compile

mvn dependency:tree | grep 'netty-all' | grep '4.1' | grep -v 'optional' | grep -v ':test' | sed -E 's/.io.netty:netty-all:jar:([0-9.]+.Final):./\1/' | sort -u

4.1.100.Final
4.1.116.Final

@deniskuzZ deniskuzZ dismissed their stale review October 8, 2025 20:26

incomplete

@ramitg254
Copy link
Contributor Author

ramitg254 commented Oct 9, 2025
edited
Loading

dependency-tree.txt
@deniskuzZ I have enforced use of single version 4.1.127.Final of netty now,
I hadn't done it earlier because the other version like 4.1.100 and 4.1.105 were coming from Hadoop and zookeeper and that I thought could be handled when Hadoop and zookeeper upgrade will take place and I saw earlier netty upgrade for version 4.1.116.Final was done in similar fashion instead of other versions from these dependencies.
So I think we have two options here:

  1. Enforcing a single version like current
  2. Or let the other versions upgrade happen when Hadoop and zookeeper upgrade will take place

Also I think option 1 is more suitable as we already have netty-all in dependency management of project pom so by adding other deps which are part of netty-all but pulled transitively by some other deps like Hadoop and zookeeper and causing version variation can be avoided

@ramitg254 ramitg254 requested a review from deniskuzZ October 9, 2025 11:30
@InvisibleProgrammer
Copy link
Contributor

Why it was necessary to pull netty into standalone-metastore and storage-api?

@ramitg254
Copy link
Contributor Author

ramitg254 commented Oct 9, 2025
edited
Loading

Why it was necessary to pull netty into standalone-metastore and storage-api?

In these modules due to presence of :

<parent>
    <groupId>org.apache</groupId>
    <artifactId>apache</artifactId>
    <version>23</version>
 </parent>

in place of :

<parent>
    <groupId>org.apache.hive</groupId>
    <artifactId>hive</artifactId>
    <version>4.2.0-SNAPSHOT</version>
    <relativePath>../pom.xml</relativePath>
  </parent>

It’s not inheriting the dependency management rules defined in the project’s POM, so they need to be added explicitly

@InvisibleProgrammer
Copy link
Contributor

InvisibleProgrammer commented Oct 14, 2025
edited
Loading

LGTM. Please do not forget to squash the commits.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

deniskuzZ
deniskuzZ approved these changes Oct 16, 2025
View reviewed changes
Copy link
Member

@deniskuzZ deniskuzZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@deniskuzZ deniskuzZ merged commit f124067 into apache:master Oct 16, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deniskuzZ deniskuzZ deniskuzZ approved these changes

+1 more reviewer

@InvisibleProgrammer InvisibleProgrammer InvisibleProgrammer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

tests passed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ramitg254 @InvisibleProgrammer @Aggarwal-Raghav @deniskuzZ @asf-ci-hive