Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability reported for io.netty:netty-codec #1264

Closed
narayar opened this issue Apr 10, 2020 · 3 comments
Closed

Security vulnerability reported for io.netty:netty-codec #1264

narayar opened this issue Apr 10, 2020 · 3 comments
Labels
status: duplicate A duplicate of another issue type: bug A general bug

Comments

@narayar
Copy link

narayar commented Apr 10, 2020

Bug Report

Security vulnerability reported for io.netty:netty-codec
The latest io.lettuce:lettuce-core:5.2.2.RELEASE has a hard dependency on io.netty:netty-handler:4.1.45.Final. But it in turn depends on io.netty:netty-codec:4.1.45.Final which has the following security vulnerability reported on 4/8/2020

Screen Shot 2020-04-09 at 6 31 21 PM

Please upgrade your lib to depend on the later versions of io.netty libs where the vulnerability is fixed.

Current Behavior

Stack trace 
// your stack trace here;

Input Code

Input Code 
// your code here;

Expected behavior/code

Environment

  • Lettuce version(s): [e.g. 5.0.0.RELEASE, 4.2.2.Final]
  • Redis version: [e.g. 4.0.9]

Possible Solution

Additional context
@narayar narayar added the type: bug A general bug label Apr 10, 2020
@narayar
Copy link
Author

narayar commented Apr 10, 2020

The following is the dependency tree for your latest version -
Screen Shot 2020-04-09 at 6 33 49 PM

@mp911de mp911de added the status: duplicate A duplicate of another issue label Apr 14, 2020
@mp911de
Copy link
Collaborator

mp911de commented Apr 14, 2020

Lettuce isn't exposing a netty server and it's not using any netty ZLib codecs so there's no vulnerability when using Lettuce. In any case, we upgraded to Netty 4.1.48 already a while ago (see #1259).

@mp911de mp911de closed this as completed Apr 14, 2020
@narayar
Copy link
Author

narayar commented Apr 14, 2020

@mp911de I dont see 5.3.0 available in maven central (https://repo1.maven.org/maven2/io/lettuce/lettuce-core/). Is it coming anytime soon?

@mp911de mp911de mentioned this issue Apr 15, 2020
Closed
@mp911de mp911de mentioned this issue Sep 6, 2021
Closed
@mp911de mp911de mentioned this issue Oct 1, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mp911de @narayar