Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump netty dependencies to 4.1.62.Final #16353

Closed
wtlucy opened this issue Mar 25, 2021 · 0 comments
Closed

Bump netty dependencies to 4.1.62.Final #16353

wtlucy opened this issue Mar 25, 2021 · 0 comments
Assignees
@wtlucy
Labels
in:Transport release bug This bug is present in a released version of Open Liberty release:21004 team:Sirius
Projects
Web Tier Team

Comments

@wtlucy
Copy link
Contributor

wtlucy commented Mar 25, 2021
edited

Dependabot opened a PR to update netty-codec-http2 due to a CVE in the version we consume: #16180

Edit: we'll skip 4.1.60 in favor of 4.1.61: #16417
Another edit: Netty released 4.1.62 a few hours after 4.1.61 to address a regression https://netty.io/news/2021/03/31/4-1-62-Final.html so we'll go with that one

Currently Liberty only uses Netty for its grpcClient-1.0 feature, and that code is not vulnerable per the description at GHSA-wm47-8v5p-wjpj. So we don't need an update to address the vulnerability, but regardless I'll use this issue to do the update.

This update has been blocked due to an incompatibility in gRPC with the updates made in Netty 4.1.60 - see grpc/grpc-java#7953. Fixes for that will be available in 1.35.1 and 1.36.1, so once those are released we can update these dependencies together.
@wtlucy wtlucy added the bug This bug is not present in a released version of Open Liberty label Mar 25, 2021
@wtlucy wtlucy self-assigned this Mar 25, 2021
@wtlucy wtlucy added in:Transport release bug This bug is present in a released version of Open Liberty team:Sirius and removed bug This bug is not present in a released version of Open Liberty labels Mar 25, 2021
@wtlucy wtlucy added this to General Issues in Web Tier Team via automation Mar 25, 2021
@wtlucy wtlucy moved this from General Issues to gRPC - Open Work in Web Tier Team Mar 25, 2021
@wtlucy wtlucy moved this from gRPC - Open Work to Replace CFW with Netty in Web Tier Team Mar 25, 2021
This was referenced Mar 29, 2021
Merged
Closed
@wtlucy wtlucy changed the title Bump netty dependencies to 4.1.60.Final Bump netty dependencies to 4.1.61.Final Mar 30, 2021
@wtlucy wtlucy mentioned this issue Mar 30, 2021
Closed
@wtlucy wtlucy changed the title Bump netty dependencies to 4.1.61.Final Bump netty dependencies to 4.1.62.Final Mar 31, 2021
@wtlucy wtlucy mentioned this issue Mar 31, 2021
Merged
@wtlucy wtlucy closed this as completed Apr 1, 2021
Web Tier Team automation moved this from Replace CFW with Netty to Completed Tasks Apr 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wtlucy wtlucy

Labels
in:Transport release bug This bug is present in a released version of Open Liberty release:21004 team:Sirius
Projects
Web Tier Team
  
Completed Tasks
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wtlucy @LibbyBot