Uncontrolled Memory Allocation in netty-codec 4.1.45.Final

[leonardosantosklarna]

There is a high severity vulnerability found in netty-codec [4.1.0.Final, 4.1.46.Final). The version netty-codec@4.1.45.Final is currently being used by http4s-async-http-client 0.21.7. I was wondering whether it was possible to release a hotfix with the dependency updated to 4.1.46.Final or higher?

Please refer to https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897 for more details on the vulnerability.

[ashwinbhaskar]

I can start looking into this.

[rossabaker]

It looks like async-http-client >= 2.11.0 is sufficient. I'm not sure offhand why sbt-updates isn't prompting us for this.

[rossabaker]

Oh. Well, nuts:

     // Broke binary compatibility with 2.10.5
    dependencyUpdatesFilter -= moduleFilter(organization = "org.asynchttpclient", revision = "2.11.0"),

We could explicitly bump netty in series/0.21. It might anger the sbt-explicit-dependencies plugin.

[rossabaker]

I went ahead and grabbed this one, because I'd like to release it today.

[rossabaker]

Fixed by #3747.