Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade netty dependencies to address CVE-2024-47535 #24137

Merged
merged 1 commit into from
Dec 9, 2024
Merged

Upgrade netty dependencies to address CVE-2024-47535 #24137

merged 1 commit into from
Dec 9, 2024

Conversation

infvg
Copy link
Contributor

@infvg infvg commented Nov 25, 2024
edited
Loading

Description

Upgrade the netty dependencies to CVE-2024-47535
If implemented this will:
Upgrade the netty dependencies to 4.1.115.Final

Motivation and Context

This upgrade was created to deal with CVEs found in lower versions

Impact

None

Release Notes

== RELEASE NOTES ==

General Changes
* Upgrade netty dependencies to version 4.1.115.Final in response to `CVE-2024-47535 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47535>`_. :pr:`24137`

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Nov 25, 2024
@prestodb-ci prestodb-ci requested review from a team, aaneja and zuyu and removed request for a team November 25, 2024 10:17
@infvg infvg force-pushed the netty-upgrade branch 2 times, most recently from 9687bae to cfcc15d Compare November 25, 2024 12:57
@infvg infvg marked this pull request as ready for review November 26, 2024 13:51
@infvg infvg requested review from jaystarshot and a team as code owners November 26, 2024 13:51
@infvg infvg requested a review from presto-oss November 26, 2024 13:51
@infvg infvg force-pushed the netty-upgrade branch 3 times, most recently from 583c49d to 2d45ed7 Compare November 26, 2024 20:13
jaystarshot
jaystarshot previously approved these changes Dec 2, 2024
View reviewed changes
aaneja
aaneja previously approved these changes Dec 3, 2024
View reviewed changes
@infvg
Upgrade netty dependencies to address CVE-2024-47535
3fa2086 
Upgrade the netty dependencies to resolve CVE-2024-47535
If implemented this will:
Upgrade the netty dependencies to 4.1.115.Final
@infvg infvg dismissed stale reviews from aaneja and jaystarshot via 3fa2086 December 3, 2024 20:42
jaystarshot
jaystarshot reviewed Dec 3, 2024
View reviewed changes
pom.xml
@@ -209,10 +210,12 @@
<dependencies>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
<version>4.1.107.Final</version>
<artifactId>netty-bom</artifactId>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why did the artifact id change? Maybe netty is not used at all?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

several different netty dependencies are being used. Only netty-handler's version is being overrided (although all of them should be the same version). I've replaced this with the netty-bom to synchronize all netty dependencies to that version.

@infvg infvg requested a review from jaystarshot December 4, 2024 00:02
@denodo-research-labs
Copy link
Contributor

LG!

@tdcmeehan tdcmeehan merged commit 5013e2e into prestodb:master Dec 9, 2024
57 checks passed
@tdcmeehan tdcmeehan mentioned this pull request Dec 9, 2024
Closed
6 tasks
This was referenced Jan 28, 2025
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@jaystarshot jaystarshot jaystarshot approved these changes

@aaneja aaneja aaneja left review comments

@zuyu zuyu Awaiting requested review from zuyu zuyu was automatically assigned from prestodb/ibm-reviewers

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@infvg @denodo-research-labs @aaneja @tdcmeehan @jaystarshot @prestodb-ci