Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade netty due to CVE-2024-47535 #2630

Closed
ptrthomas opened this issue Dec 2, 2024 · 5 comments
Closed

Upgrade netty due to CVE-2024-47535 #2630

ptrthomas opened this issue Dec 2, 2024 · 5 comments
Assignees
@ptrthomas
Labels
codequality fixed
Milestone
1.5.1

Comments

@ptrthomas
Copy link
Member

we have received a report of security scans finding the netty dependency to be problematic. to quote:

Scan an OCI image containing the karate.jar, with for example trivy, and discover a 
high severity finding of CWE-400 by usage of io.netty:netty-common

link: GHSA-xq3w-v528-46rv
@ptrthomas ptrthomas self-assigned this Dec 2, 2024
ptrthomas added a commit that referenced this issue Dec 2, 2024
@ptrthomas
upgrade armeria #2630
8e0c491
@ptrthomas ptrthomas added this to the 1.5.1 milestone Dec 2, 2024
@ptrthomas ptrthomas added the fixed label Dec 2, 2024
@ptrthomas
Copy link
Member Author

upgrading armeria ensures that netty 4.1.115.Final is used which resolves the CVE cc @SkyHuk

karate 1.5.1 will be released soon (ETA to be determined), and can be expedited on request

note that teams should be able to over-ride dependencies without waiting for a release as explained here: #1834 (comment)

ptrthomas added a commit that referenced this issue Jan 6, 2025
@ptrthomas
upgrade most libraries along with #2630
c5d3011
@ptrthomas
Copy link
Member Author

1.5.1 released

@ptrthomas
Copy link
Member Author

@SkyHuk - looks like in 1.5.1 another lib logback-core may be an issue though not high-sev, can you see if this is a problem when you get a chance, thanks !

@ptrthomas
Copy link
Member Author

@SkyHuk - update, am making a quick 1.5.2 release for #2642

@SkyHuk
Copy link

SkyHuk commented Jan 9, 2025

@SkyHuk - looks like in 1.5.1 another lib logback-core may be an issue though not high-sev, can you see if this is a problem when you get a chance, thanks !

@ptrthomas - I checked on my end for 1.5.1 and I'm seeing the logback-core medium (1) and low (1) severity aswell. We are happy with the high-sev fix for now and will be looking forward for 1.5.2 when it releases 😄 👍

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ptrthomas ptrthomas

Labels
codequality fixed
Projects
None yet
Milestone
1.5.1
Development

No branches or pull requests
2 participants
@ptrthomas @SkyHuk