Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Netty to 4.1.108.Final due to CVE-2024-29025 #1068

Merged
merged 2 commits into from
Jul 6, 2024
Merged

Bump Netty to 4.1.108.Final due to CVE-2024-29025 #1068

merged 2 commits into from
Jul 6, 2024
+2 −2

Conversation

petarov
Copy link
Contributor

@petarov petarov commented Jun 13, 2024

This is a simple PR that bumps Netty to 4.1.108.Final. Unit tests seem to run without any issues.

Background:

One of my projects uses Pushy and I'm required to compose an SBOM of all dependencies when shipping builds. CVE-2024-29025 was reported due to Pushy's dependency on Netty.

Vulnerability reported in 0.15.4:

NAME              INSTALLED      FIXED-IN       TYPE          VULNERABILITY        SEVERITY 
netty-codec-http  4.1.104.Final  4.1.108.Final  java-archive  GHSA-5jpm-x58v-624v  Medium

See GHSA-5jpm-x58v-624v

jchambers
jchambers reviewed Jun 13, 2024
View reviewed changes
Copy link
Owner

@jchambers jchambers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, and thank you for the contribution! First, for posterity, it's true that the current Pushy does depend on an affected version of Netty, but the specific vulnerability does not apply to Pushy.

That said:

  1. Why go to 4.1.108? Why not go all the way to the latest version (4.1.111 at the time of writing)?
  2. Could you please also update the README to match?

Thanks!

@petarov
Copy link
Contributor Author

petarov commented Jun 14, 2024

Thank you for the feedback. I have updated the PR and changed the version to 4.1.111.Final, as well as updated the README.

You're right that Pushy is not affected, but sadly most IT admins I'd deal with, just run the scanner, see the report and then open a ticket on my side. It's annoying, but that's how it is.

@jchambers
Copy link
Owner

You're right that Pushy is not affected, but sadly most IT admins I'd deal with, just run the scanner, see the report and then open a ticket on my side. It's annoying, but that's how it is.

You have my sympathy, friend ;)

@jchambers jchambers added this to the v0.16.0 milestone Jul 6, 2024
@jchambers jchambers merged commit ac892d1 into jchambers:main Jul 6, 2024
32 checks passed
@petarov petarov deleted the upgrade_to_netty_4.1.108 branch July 6, 2024 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jchambers jchambers jchambers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.16.0
Development

Successfully merging this pull request may close these issues.
2 participants
@petarov @jchambers