CVE-2024-29025 - Githubissues

clj-commons / aleph

Asynchronous streaming communication for Clojure - web server, web client, and raw TCP/UDP

http://aleph.io

MIT License

2.54k stars 241 forks source link

CVE-2024-29025 #724

Closed David-Ongaro closed 5 months ago

David-Ongaro commented 5 months ago

Following up on https://github.com/clj-commons/aleph/issues/718#issuecomment-2125503420 I'd like to ask if a minor release can be cut to get the netty update to 4.1.108.Final in? Or, if you think it's not ready yet, can you do a backport with just this update to the 6.x line?

I'm aware that this CVE is probably hardly relevant for Aleph, but we're getting flagged in our builds because of it.

KingMob commented 5 months ago

@DerGuteMoritz Want to cut a release? IIRC, you haven't done one yet, so maybe this is a good time to show you the process.

I'm aware that this CVE is probably hardly relevant for Aleph

AFAICT, it does impact Aleph's multipart code. (Well, if you're HTTP2-only, it doesn't affect you. The multipart code isn't yet adapted to the HTTP2 code, since there's little need for it in HTTP2, other than for backwards-compatibility.)

DerGuteMoritz commented 5 months ago

@DerGuteMoritz Want to cut a release? IIRC, you haven't done one yet, so maybe this is a good time to show you the process.

Yeah, let's. I meant to wrap up https://github.com/clj-commons/aleph/pull/721 first but it's probably fine to defer that to the release after that one. I just pushed another dependency bump (Netty 4.1.110.Final was released in the meantime): https://github.com/clj-commons/aleph/pull/725 -- with that, I think we're good to go! Will get in touch via Slack with you about the next steps.

DerGuteMoritz commented 5 months ago

@David-Ongaro Alright, a new release is in the making, see https://github.com/clj-commons/aleph/pull/726 -- as you can see, the tests are currently failing on that branch. I think it's flaking but a single retry didn't yet fix it. Unfortunately, I have to leave now and will likely only be able to continue on Monday. If somebody has time to look into the test failures in the meantime, that'd be great :pray: Otherwise I'll do it on Monday and hopefully push the release then, too! Cheers and thanks for getting the release train started :smile:

David-Ongaro commented 5 months ago

I'll do it on Monday and hopefully push the release then, too! Cheers and thanks for getting the release train started 😄

Thanks for the quick turnaround! I wish you a good weekend!

DerGuteMoritz commented 5 months ago

@David-Ongaro 0.8.0 has just been released which bumps Netty to 4.1.110.Final and more (see changelog). Thanks for your patience and keep Alephing :smile: