Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade netty to 4.1.111 #5050

Closed
barthanssens opened this issue Jun 23, 2024 · 1 comment · Fixed by #5051
Closed

Upgrade netty to 4.1.111 #5050

barthanssens opened this issue Jun 23, 2024 · 1 comment · Fixed by #5051
Assignees
@barthanssens
Labels
🐞 bug issue is a bug dependencies Pull requests that update a dependency file security
Milestone
5.0.1

Comments

@barthanssens
Copy link
Contributor

barthanssens commented Jun 23, 2024
edited
Loading

Current Behavior

I've noticed, when releasing the docker workbench image, there are a few vulnerabilities in netty (which may or may not affect RDF4J workbenc00h)

Expected Behavior

Upgrading to the latest (patch) release of netty should fix the reported CVEs for netty dependencies

Steps To Reproduce

No response

Version

5.0.0

Are you interested in contributing a solution yourself?

Yes

Anything else?

Might not be that straightforward, since netty is being used by (sub)dependencies, some excludes/includes in POMs can be expected
@barthanssens barthanssens added 🐞 bug issue is a bug security dependencies Pull requests that update a dependency file labels Jun 23, 2024
@barthanssens barthanssens added this to the 5.0.1 milestone Jun 23, 2024
barthanssens added a commit to Fedict/rdf4j that referenced this issue Jun 23, 2024
@barthanssens
eclipse-rdf4jGH-5050: add netty dependency management to fix CVEs
8a52b62 
Signed-off-by: Bart Hanssens <bart.hanssens@bosa.fgov.be>
@barthanssens barthanssens mentioned this issue Jun 23, 2024
Merged
5 tasks
@barthanssens
Copy link
Contributor Author

barthanssens commented Jun 23, 2024
edited
Loading

Dependency management is honored by most but not all (sub)dependencies, e.g. solr-solrj:jar:8.11.2 still uses 4.1.97

But it looks like this version of solr is only used at compile time for rdf4j-spring, and the included dependencies are OK (so probably another issue to pin down the solr-solrj version to 8.9.0 for all modules)

@barthanssens barthanssens self-assigned this Jun 24, 2024
@barthanssens barthanssens changed the title Upgrade netty to 4.1.108 Upgrade netty to 4.1.111 Jun 24, 2024
barthanssens added a commit that referenced this issue Jun 30, 2024
@barthanssens
GH-5050: add netty dependency management to fix CVEs (#5051)
e0e9868 
Signed-off-by: Bart Hanssens <bart.hanssens@bosa.fgov.be>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@barthanssens barthanssens

Labels
🐞 bug issue is a bug dependencies Pull requests that update a dependency file security
Projects
None yet
Milestone
5.0.1
Development

Successfully merging a pull request may close this issue.

GH-5050: add netty dependency management to fix CVEs Fedict/rdf4j
1 participant
@barthanssens