Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Java] Upgrade netty-codec-http dependencies #33068

Closed
asfimport opened this issue Sep 27, 2022 · 4 comments
Closed

[Java] Upgrade netty-codec-http dependencies #33068

asfimport opened this issue Sep 27, 2022 · 4 comments
Labels
Component: Java Type: bug
Milestone
10.0.0

Comments

@asfimport
Copy link

CVE-2022-24823 reports a security vulnerability for netty-codec-http

Now the version of netty-codec-http in the master branch is 4.1.72.Final, that is unsafe.

The ticket https://issues.apache.org/jira/browse/ARROW-16996 bumps netty-codec to {}4.1.78.Final{}, it didn't bump netty-codec-http.

Can you upgrade the version of netty-codec-http

 

Here is my output of mvn:dependency now:

[INFO] +- org.apache.arrow:flight-core:jar:9.0.0:compile
[INFO] |  +- io.grpc:grpc-netty:jar:1.47.0:compile
[INFO] |  |  +- io.netty:netty-codec-http2:jar:4.1.72.Final:compile
[INFO] |  |  |  - io.netty:{**}netty-codec-http{**}:jar:4.1.72.Final:compile
[INFO] |  |  +- io.netty:netty-handler-proxy:jar:4.1.72.Final:runtime
[INFO] |  |  |  - io.netty:netty-codec-socks:jar:4.1.72.Final:runtime
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.10.0:compile
[INFO] |  |  +- io.perfmark:perfmark-api:jar:0.25.0:runtime
[INFO] |  |  - io.netty:netty-transport-native-unix-common:jar:4.1.72.Final:compile
[INFO] |  +- io.grpc:grpc-core:jar:1.47.0:compile
[INFO] |  |  +- com.google.android:annotations:jar:4.1.1.4:runtime
[INFO] |  |  - org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime
[INFO] |  +- io.grpc:grpc-context:jar:1.47.0:compile
[INFO] |  +- io.grpc:grpc-protobuf:jar:1.47.0:compile
[INFO] |  |  +- com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile
[INFO] |  |  - io.grpc:grpc-protobuf-lite:jar:1.47.0:compile
[INFO] |  +- io.netty:netty-tcnative-boringssl-static:jar:2.0.53.Final:compile
[INFO] |  |  +- io.netty:netty-tcnative-classes:jar:2.0.53.Final:compile
[INFO] |  |  +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.53.Final:compile
[INFO] |  |  +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.53.Final:compile
[INFO] |  |  +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.53.Final:compile
[INFO] |  |  +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.53.Final:compile
[INFO] |  |  - io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.53.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.78.Final:compile
[INFO] |  |  +- io.netty:netty-resolver:jar:4.1.78.Final:compile
[INFO] |  |  - io.netty:netty-codec:jar:4.1.78.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.78.Final:compile
[INFO] |  +- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] |  |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO] |  |  - com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |  +- io.grpc:grpc-stub:jar:1.47.0:compile
[INFO] |  +- com.google.protobuf:protobuf-java:jar:3.21.2:compile
[INFO] |  +- io.grpc:grpc-api:jar:1.47.0:compile
[INFO] |  - javax.annotation:javax.annotation-api:jar:1.3.2:compile

Reporter: Hui Yu
Assignee: David Dali Susanibar Arce / @davisusanibar

PRs and other links:

Note: This issue was originally created as ARROW-17850. Please see the migration documentation for further details.
@asfimport
Copy link
Author

David Li / @lidavidm:
CC @davisusanibar @lwhite1

@asfimport
Copy link
Author

David Dali Susanibar Arce / @davisusanibar:
Updated to:

$ mvn dependency:tree --debug | grep netty-codec-http

[DEBUG]       io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]          io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG]       io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]          io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] |  +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] |  |  \- io.netty:netty-codec-http:jar:4.1.82.Final:compile
[DEBUG]          io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]             io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG]          io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]             io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] |  |  +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] |  |  |  \- io.netty:netty-codec-http:jar:4.1.82.Final:compile
[DEBUG]          io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]             io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG]          io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]             io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] |  |  +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] |  |  |  \- io.netty:netty-codec-http:jar:4.1.82.Final:compile
[DEBUG]          io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]             io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG]          io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]             io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] |  |  +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] |  |  |  \- io.netty:netty-codec-http:jar:4.1.82.Final:compile
[DEBUG]          io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]             io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG]          io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG]             io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] |  |  +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] |  |  |  \- io.netty:netty-codec-http:jar:4.1.82.Final:compile

@asfimport
Copy link
Author

David Li / @lidavidm:
Issue resolved by pull request 14265
#14265

@asfimport
Copy link
Author

Hui Yu:
Thank you all !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: Java Type: bug
Projects
None yet
Milestone
10.0.0
Development

No branches or pull requests
1 participant
@asfimport