New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update netty to 4.1.86.Final to remediate CVE-2022-41881 #3512
Comments
My organization tagging this as well, i know netty just got updated a few months ago to 4.1.78 but needs to get updated again to clear this issue, severity is High |
Ping @llinder
…On Fri, 3 Mar 2023, 19:38 rweinsteinPGH, ***@***.***> wrote:
My organization tagging this as well, i know netty just got updated a few
months ago to 4.1.78 but needs to get updated again to clear this issue,
severity is High
—
Reply to this email directly, view it on GitHub
<#3512 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXOYAUL3TMZM7IG4I5UMHDW2I3DBANCNFSM6AAAAAAVMAKNCQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
@jcchavezs @llinder - Can you please let us know if zipkin is really effected by CVE-2022-41881 ? |
Bump to match Spring Boot v2.7.12 Remediates CVE-2022-41881 Ref issue: openzipkin#3512
This CVE seems to be inherited from Spring Boot and resolved in Spring Boot v2.7.12. I can confirm this is being picked up on my end as well as the only CVE left to remediate in Zipkin 2.24.2 although it uses v2.7.12 since it's specified in https://github.com/openzipkin/zipkin/blob/1acbc8651df50aa8200cbff725285a1cb1c759d9/pom.xml#LL57C1-L58C1 Opened PR with using netty 4.1.92.Final to match to see if there are any conflicts. References: |
Bump netty version from 4.1.78.Final to 4.1.86.Final Remediates CVE-2022-41881 Ref issue: openzipkin#3512
@jcchavezs @llinder I think we should favor should bumping to 4.1.92.Final #3548 to match the current Spring Boot version. |
* chore(deps): Update netty from 4.1.78.Final to 4.1.92.Final Bump to match Spring Boot v2.7.12 Remediates CVE-2022-41881 Ref issue: #3512 * Bump netty version to 4.1.95.Final and match Spring Boot v2.7.14 Remediates CVE-2022-41881, CVE-2023-34462 Ref issue: #3512
latest version of zipkin has all netty CVEs addressed |
zipkin is getting flagged in our security scans due to the presence of
io.netty:netty-codec-haproxy:4.1.78.Final
which has CVE-2022-41881 .Is there any plan to upgrade
io.netty:netty-codec-haproxy
to4.1.86.Final
to get around this?The text was updated successfully, but these errors were encountered: