New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uncontrolled Memory Allocation in netty-codec 4.1.45.Final #3681
Milestone
Comments
I can start looking into this. |
It looks like async-http-client >= 2.11.0 is sufficient. I'm not sure offhand why sbt-updates isn't prompting us for this. |
Oh. Well, nuts:
We could explicitly bump netty in series/0.21. It might anger the sbt-explicit-dependencies plugin. |
I went ahead and grabbed this one, because I'd like to release it today. |
Fixed by #3747. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is a high severity vulnerability found in netty-codec [4.1.0.Final, 4.1.46.Final). The version netty-codec@4.1.45.Final is currently being used by http4s-async-http-client 0.21.7. I was wondering whether it was possible to release a hotfix with the dependency updated to 4.1.46.Final or higher?
Please refer to https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897 for more details on the vulnerability.
The text was updated successfully, but these errors were encountered: