These both appear to relate to HttpObjectDecoder, which I see no references to in the Clouseau code. Looks like Clouseau only uses the org.jboss.netty.buffer.ChannelBuffer class.
jboss.netty 3.2.10 released in 2013, and has been moved to just netty, and 4.1.91 is the latest with 5.0.0 in pre-release.
Even if not exploitable, there is increasing demand from governments and enterprises to update dependencies regardless.
I'll open a PR and see if a simple version / name change happens to work
Clouseau shades Netty 3.2.10, which contains https://nvd.nist.gov/vuln/detail/CVE-2019-20444 https://nvd.nist.gov/vuln/detail/CVE-2019-20445
These both appear to relate to HttpObjectDecoder, which I see no references to in the Clouseau code. Looks like Clouseau only uses the org.jboss.netty.buffer.ChannelBuffer class.
jboss.netty 3.2.10 released in 2013, and has been moved to just netty, and 4.1.91 is the latest with 5.0.0 in pre-release.
Even if not exploitable, there is increasing demand from governments and enterprises to update dependencies regardless.
I'll open a PR and see if a simple version / name change happens to work