Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Bump netty for CVE-2024-47535 #3241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 23, 2024
Merged

Bump netty for CVE-2024-47535 #3241

merged 3 commits into from
Dec 23, 2024

Conversation

russwyte
Copy link
Contributor

@russwyte russwyte commented Dec 8, 2024

Addresses CVE alert I have been getting from github dependabot.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47535

guizmaii
guizmaii reviewed Dec 19, 2024
View reviewed changes
@guizmaii
Copy link
Member

guizmaii commented Dec 19, 2024
edited
Loading

@russwyte I updated to 4.1.116 and it seems that we're using a deprecated method, making the CI fail. Could you have a look, please?

@russwyte
Copy link
Contributor Author

russwyte commented Dec 19, 2024
edited
Loading

@russwyte I updated to 4.1.116 and it seems that we're using a deprecated method, making the CI fail. Could you have a look, please?

Sure - I will look.

@russwyte
Copy link
Contributor Author

@guizmaii Fortunately it was easy fix - just a deprecated method. 👍

guizmaii
guizmaii reviewed Dec 19, 2024
View reviewed changes
zio-http/jvm/src/main/scala/zio/http/netty/server/ServerSSLDecoder.scala
@@ -131,7 +131,7 @@ private[zio] class ServerSSLDecoder(sslConfig: SSLConfig, cfg: Server.Config) ex
val httpBehaviour = sslConfig.behaviour
if (in.readableBytes < 5)
()
else if (SslHandler.isEncrypted(in)) {
else if (SslHandler.isEncrypted(in, false)) {
Copy link
Member

@guizmaii guizmaii Dec 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@russwyte Just for my information, what is this false for?

Found the PR making the change: netty/netty#14243

image

guizmaii
guizmaii approved these changes Dec 19, 2024
View reviewed changes
Copy link
Member

@guizmaii guizmaii left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@russwyte
Copy link
Contributor Author

I just went with the strongly suggested option.

@987Nabil 987Nabil enabled auto-merge (squash) December 23, 2024 05:57
@987Nabil 987Nabil merged commit e6fa725 into zio:main Dec 23, 2024
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guizmaii guizmaii guizmaii approved these changes

@987Nabil 987Nabil 987Nabil approved these changes

@jdegoes jdegoes Awaiting requested review from jdegoes jdegoes is a code owner

@vigoo vigoo Awaiting requested review from vigoo vigoo is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@russwyte @guizmaii @987Nabil