2.0.2 code repackaging needed to update dependancies without vuln.

[emorneau]

aws-msk-iam-auth-2.0.2-all.jar is causing the following:

Issues to fix by upgrading: Upgrade software.amazon.awssdk:auth@2.20.121 to software.amazon.awssdk:auth@2.20.162 to fix ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-5953332] in io.netty:netty-codec-http2@4.1.94.Final introduced by software.amazon.awssdk:auth@2.20.121 > io.netty:netty-codec-http2@4.1.94.Final ✗ Allocation of Resources Without Limits or Throttling (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-SOFTWAREAMAZONION-6153869] in software.amazon.ion:ion-java@1.0.2 introduced by software.amazon.awssdk:auth@2.20.121 > software.amazon.ion:ion-java@1.0.2

[emorneau]

Locally fixed by changing build.gradle with "implementation('software.amazon.awssdk:auth:2.20.162')" For others (remove txt file): aws-msk-iam-auth-2.0.3-all.jar.txt

[emorneau]

replace above file with this one: aws-msk-iam-auth-2.0.3-all.jar.txt

[emorneau]

build.grade changes.

1) Added the following lines // to remove three line below when the ion-java update is provided across aws-java-sdk* libs configurations.implementation { exclude group: 'software.amazon.ion', module: 'ion-java' }

2) extra "dependencies" lines: implementation('io.netty:netty-codec-http2:4.1.100.Final') implementation(files('libs/ion-java-1.10.5.jar'))

[hhkkxxx133]

Thanks for reporting this to us! We have upgraded AWS SDK version and release the new version 2.0.3.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.