search

IBMStreams / streamsx.eventstore

Toolkit for IBM Db2 Event Store integration.
https://ibmstreams.github.io/streamsx.eventstore/
Apache License 2.0
2 stars 3 forks source link

Vulnerability in io.netty:netty-all #96

Closed schubon closed 4 years ago

schubon commented 4 years ago

Details

CVE-2019-16869 moderate severity Vulnerable versions: < 4.1.42 Patched version: 4.1.42

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

Remediation

Upgrade io.netty:netty-all to version 4.1.42 or later. For example:

<dependency>
  <groupId>io.netty</groupId>
  <artifactId>netty-all</artifactId>
  <version>[4.1.42,)</version>
</dependency>

Always verify the validity and compatibility of suggestions with your codebase.

markheger commented 4 years ago

pom file contains already 4.1.42.Final, maybe the check is not working properly:

            <dependency>
                    <groupId>io.netty</groupId>
                    <artifactId>netty-all</artifactId>
                    <version>4.1.42.Final</version>
                    <exclusions>
                            <exclusion>
                                    <groupId>*</groupId>
                                    <artifactId>*</artifactId>
                            </exclusion>
                    </exclusions>
            </dependency>