Closed dbrrr closed 1 year ago
Hey folks!
lein-nvd reports vulnerabilities in Jetty, which is a dependency used by the http-client:
lein-nvd
http-client
[com.cognitect.aws/api "0.8.539" :exclusions [[org.clojure/data.json] [com.cognitect/http-client "1.0.110"] [org.eclipse.jetty/jetty-client "9.4.44.v20210927"] [org.eclipse.jetty/jetty-io "9.4.44.v20210927"]
The CVEs are listed as follows:
+---------------------------------+---------------+ | dependency | status | +---------------------------------+---------------+ | jetty-http-9.4.44.v20210927.jar | CVE-2022-2047 | | jetty-io-9.4.44.v20210927.jar | CVE-2022-2191 | +---------------------------------+---------------+
With accompanying links: CVE-2022-2047 CVE-2022-2191
The issues both seem to span a range of releases: In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions
So a fix with minimal changes may be to bump to 9.4.48.v20220622, although the current version is at 11.0.11
This is fixed in main, but not yet released. I'll have a release out today or Monday with this fix. cc @MageMasher
main
Released in version com.cognitect.aws/api-0.8.575
Thank you!! 🙏
Hey folks!
lein-nvd
reports vulnerabilities in Jetty, which is a dependency used by thehttp-client
:The CVEs are listed as follows:
With accompanying links: CVE-2022-2047 CVE-2022-2191
The issues both seem to span a range of releases:
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions
So a fix with minimal changes may be to bump to 9.4.48.v20220622, although the current version is at 11.0.11