KingMob
commented
1 year ago This will be closed by #687
Closed svdo closed 1 year ago
KingMob
commented
1 year ago This will be closed by #687
bitti
commented
1 year ago This will be closed by #687
When can this be merged/released? We currently have CVEs open due to the transitive netty dependencies when using Aleph 6.3. (The current version btw is 4.1.101.Final so this PR is already slightly outdated.)
KingMob
commented
1 year ago Probably in the next week. It's undergoing final review.
The current version btw is 4.1.101.Final so this PR is already slightly outdated.
Netty is a huge project. We won't just bump up a Netty version without a re-review to see what it might affect. Is there something particularly relevant in 4.1.101?
bitti
commented
1 year ago Is there something particularly relevant in 4.1.101?
Compared to 4.1.100? No, for us only CVE-2023-44487 is relevant which we need to fix in our projects before Thanksgiving and that's supposed to be fixed in 4.1.100.
bitti
commented
1 year ago Probably in the next week. It's undergoing final review.
Will this be a new major version? Wouldn't that be an argument for another minor release with just the netty update for consumers who don't want to take the bigger step right away?
KingMob
commented
1 year ago Hmmm. Yeah, I can do that.
I won't promise to do it for all CVEs, though; there's getting to be too many low-quality, exaggerated CVEs in recent years, and Aleph has limited resources.
KingMob
commented
1 year ago @bitti OK, it's out: https://clojars.org/aleph/versions/0.6.4
If your company has more specific needs with Aleph, please consider reaching out on Slack in the future. I'm happy to work out training, Q&A, and consulting needs for Aleph/Manifold users.
KingMob
commented
1 year ago Fixed by 79a3396883247f189c3e7ee75b37f2f2e3469c50
bitti
commented
1 year ago I won't promise to do it for all CVEs, though; there's getting to be too many low-quality, exaggerated CVEs in recent years, and Aleph has limited resources.
I understand that, and I doubt that we're even exploitable by CVE-2023-44487, since we don't use streams. Still, big firms need to adhere to certain compliance standards, sadly. Of course, we can also pull in netty as an explicit dependency to make the update, and I don't want to waste any valuable developer time which could go into Aleph. Still, if the release is easy and quick to do for you, it's appreciated!
bitti
commented
1 year ago @bitti OK, it's out: clojars.org/aleph/versions/0.6.4
Thanks, that's very nice of you! 🥇
If your company has more specific needs with Aleph, please consider reaching out on Slack in the future. I'm happy to work out training, Q&A, and consulting needs for Aleph/Manifold users.
Thanks for the offer! Probably not at the moment, since we don't even have migrated all our Clojure services to Aleph yet, but who knows what may happen in the future.
KingMob
commented
1 year ago @bitti Yeah, the irony of cutting a 0.6.x release for that CVE is that Aleph 0.6.x doesn't support HTTP/2, so you couldn't ever have been attacked by that method. (Streams in Manifold != streams in HTTP/2, btw)
Stuff like this is why maintainers are souring on the current way CVEs are handled. It's a problem for Netty, but not Aleph, yet everyone has these security dashboards raising 5-alarm fires. If it were anything more than just 30 mins spent retesting, updating the changelog, deploying, etc., I might not have done it, but I'd already vetted 4.1.100 for the H2 code.
KingMob
commented
1 year ago @bitti I can also help with migrations 😉
Because of https://nvd.nist.gov/vuln/detail/CVE-2023-44487