-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Java] Upgrade netty-codec-http dependencies #33068
Labels
Milestone
Comments
David Dali Susanibar Arce / @davisusanibar: $ mvn dependency:tree --debug | grep netty-codec-http
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] | +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] | | \- io.netty:netty-codec-http:jar:4.1.82.Final:compile
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] | | | \- io.netty:netty-codec-http:jar:4.1.82.Final:compile
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] | | | \- io.netty:netty-codec-http:jar:4.1.82.Final:compile
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] | | | \- io.netty:netty-codec-http:jar:4.1.82.Final:compile
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[DEBUG] io.netty:netty-codec-http2:jar:4.1.82.Final:compile (version managed from 4.1.77.Final)
[DEBUG] io.netty:netty-codec-http:jar:4.1.82.Final:compile (version managed from 4.1.82.Final)
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.82.Final:compile
[INFO] | | | \- io.netty:netty-codec-http:jar:4.1.82.Final:compile |
Hui Yu: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2022-24823 reports a security vulnerability for netty-codec-http
Now the version of netty-codec-http in the master branch is 4.1.72.Final, that is unsafe.
The ticket https://issues.apache.org/jira/browse/ARROW-16996 bumps netty-codec to {}4.1.78.Final{}, it didn't bump netty-codec-http.
Can you upgrade the version of netty-codec-http ?
Here is my output of mvn:dependency now:
Reporter: Hui Yu
Assignee: David Dali Susanibar Arce / @davisusanibar
PRs and other links:
Note: This issue was originally created as ARROW-17850. Please see the migration documentation for further details.
The text was updated successfully, but these errors were encountered: