Netty security issues (CVE-2022-41915 and CVE-2021-43797)

[mauriciogeneroso]

There are two issues with netty-codec-http-4.1.60 comming with the latest AHC 2.12.3 that will be fixed on the AHC 3.x (as I checked the code it is using 4.1.100.Final of netty for AHC 3.x), I'd like to check if there is an expectation for a 3.x release or if those could be fixed on 2.12.x.

• CVE-2022-41915 (this one seems a veracode false warning as the description says it would happen from 4.1.83.Final to < 4.1.86.Final)
• CVE-2021-43797

Thanks.

---

Also I tried to create a branch to submit a fix and I had not permission. How could I contribute?

[hyperxpro]

2.x has reached EoL.

[mauriciogeneroso]

Is 3.0.0.Beta3 the latest stable to be used? How about the contribution?

[hyperxpro]

3.0.0.Final will be released soon which will be a stable API.