Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade netty due to CVE-2024-47535 #2630

Open
ptrthomas opened this issue Dec 2, 2024 · 1 comment
Open

Upgrade netty due to CVE-2024-47535 #2630

ptrthomas opened this issue Dec 2, 2024 · 1 comment
Assignees
@ptrthomas
Labels
codequality fixed
Milestone
1.5.1

Comments

@ptrthomas
Copy link
Member

we have received a report of security scans finding the netty dependency to be problematic. to quote:

Scan an OCI image containing the karate.jar, with for example trivy, and discover a 
high severity finding of CWE-400 by usage of io.netty:netty-common

link: GHSA-xq3w-v528-46rv
@ptrthomas ptrthomas self-assigned this Dec 2, 2024
ptrthomas added a commit that referenced this issue Dec 2, 2024
@ptrthomas
upgrade armeria #2630
8e0c491
@ptrthomas ptrthomas added this to the 1.5.1 milestone Dec 2, 2024
@ptrthomas ptrthomas added the fixed label Dec 2, 2024
@ptrthomas
Copy link
Member Author

upgrading armeria ensures that netty 4.1.115.Final is used which resolves the CVE cc @SkyHuk

karate 1.5.1 will be released soon (ETA to be determined), and can be expedited on request

note that teams should be able to over-ride dependencies without waiting for a release as explained here: #1834 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ptrthomas ptrthomas

Labels
codequality fixed
Projects
None yet
Milestone
1.5.1
Development

No branches or pull requests
1 participant
@ptrthomas