Skip to content

Netty requires update to 5.0.0 to resolve vulnerability #2251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
BrHowell opened this issue Nov 16, 2023 · 4 comments
Closed

Netty requires update to 5.0.0 to resolve vulnerability #2251

BrHowell opened this issue Nov 16, 2023 · 4 comments

Comments

@BrHowell
Copy link

CVE-2023-4586 has been published, affecting versions of netty prior to 5.0.0
@marcospereira
Copy link

According to a few comments in Netty's issue tracker, CVE-2023-4586 is a false positive:

And it was withdrawn:

Which tool reported that to you, @BrHowell? I assume it needs to be configured to ignore that CVE.

@marcospereira
Copy link

But merging #2245 would be good, though.

@BrHowell
Copy link
Author

Yes I ended up discovering that withdrawal, and so we're now ignoring the CVE as we're covered by 4.1.100.Final and up.

I forgot about coming back to this issue to update, sorry. I'll close it.

@BrHowell BrHowell closed this as not planned Won't fix, can't repro, duplicate, stale Nov 30, 2023
@yawkat
Copy link

yawkat commented Dec 4, 2023

@BrHowell please note that 4.1.100.Final does not "cover" the CVE. The relevant netty API has remained unchanged. It is simply a false positive CVE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcospereira @yawkat @BrHowell