hi, io.netty:netty-all:4.0.36.Final has CVEs: CVE-2019-20444, CVE-2019-16869, CVE-2016-4970, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, CVE-2021-21409, CVE-2021-21295, CVE-2019-20445. Would you please consider upgrading it to 4.1.68.Final to fix all these vulnerabilities. We noticed that Dependabot proposed another upgrade, which is still subject to "CVE-2021-21295", "CVE-2021-21409", "CVE-2019-20445""CVE-2019-20444", "CVE-2021-37137", "CVE-2021-37136", "CVE-2019-16869", "CVE-2021-21290", "CVE-2020-11612" after upgrading. We have run the tests, and they all passed.
[WARNING]
[WARNING] Some problems were encountered while building the effective model for org.fengfei:proxy-common:jar:0.1
[WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-resources-plugin is missing. @ org.fengfei:lanproxy:0.1, /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/pom.xml, line 57, column 21
[WARNING]
[WARNING] Some problems were encountered while building the effective model for org.fengfei:proxy-protocol:jar:0.1
[WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-resources-plugin is missing. @ org.fengfei:lanproxy:0.1, /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/pom.xml, line 57, column 21
[WARNING]
[WARNING] Some problems were encountered while building the effective model for org.fengfei:lanproxy:pom:0.1
[WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-resources-plugin is missing. @ line 57, column 21
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] lanproxy [pom]
[INFO] proxy-common [jar]
[INFO] proxy-protocol [jar]
[INFO] proxy-server [jar]
[INFO] proxy-client [jar]
[INFO]
[INFO] ------------------------< org.fengfei:lanproxy >------------------------
[INFO] Building lanproxy 0.1 [1/5]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] ----------------------< org.fengfei:proxy-common >----------------------
[INFO] Building proxy-common 0.1 [2/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-common ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-common/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-common ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-common ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-common/src/test/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-common ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-common ---
[INFO] No tests to run.
[INFO]
[INFO] ---------------------< org.fengfei:proxy-protocol >---------------------
[INFO] Building proxy-protocol 0.1 [3/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-protocol ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-protocol/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-protocol ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-protocol ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-protocol/src/test/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-protocol ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-protocol ---
[INFO] No tests to run.
[INFO]
[INFO] ----------------------< org.fengfei:proxy-server >----------------------
[INFO] Building proxy-server 0.1 [4/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-server ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 6 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-server ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-server ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 3 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-server ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-server ---
[INFO] Surefire report directory: /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-server/target/surefire-reports
-------------------------------------------------------
T E S T S
-------------------------------------------------------
Results :
Tests run: 0, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO] ----------------------< org.fengfei:proxy-client >----------------------
[INFO] Building proxy-client 0.1 [5/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-client ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 6 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-client ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-client ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 3 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-client ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-client ---
[INFO] Surefire report directory: /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-client/target/surefire-reports
-------------------------------------------------------
T E S T S
-------------------------------------------------------
Results :
Tests run: 0, Failures: 0, Errors: 0, Skipped: 0
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for lanproxy 0.1:
[INFO]
[INFO] lanproxy ........................................... SUCCESS [ 0.099 s]
[INFO] proxy-common ....................................... SUCCESS [ 1.501 s]
[INFO] proxy-protocol ..................................... SUCCESS [ 0.049 s]
[INFO] proxy-server ....................................... SUCCESS [ 0.717 s]
[INFO] proxy-client ....................................... SUCCESS [ 0.390 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.954 s
[INFO] Finished at: 2022-08-31T15:38:41+08:00
[INFO] ------------------------------------------------------------------------```
Thank you for your attentions!
hi, io.netty:netty-all:4.0.36.Final has CVEs: CVE-2019-20444, CVE-2019-16869, CVE-2016-4970, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, CVE-2021-21409, CVE-2021-21295, CVE-2019-20445. Would you please consider upgrading it to 4.1.68.Final to fix all these vulnerabilities. We noticed that Dependabot proposed another upgrade, which is still subject to "CVE-2021-21295", "CVE-2021-21409", "CVE-2019-20445""CVE-2019-20444", "CVE-2021-37137", "CVE-2021-37136", "CVE-2019-16869", "CVE-2021-21290", "CVE-2020-11612" after upgrading. We have run the tests, and they all passed.
您好,我们发现io.netty:netty-all:4.0.36.Final 有如下漏洞: CVE-2019-20444, CVE-2019-16869, CVE-2016-4970, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, CVE-2021-21409, CVE-2021-21295, CVE-2019-20445。烦请考虑将其升级到4.1.68.Final以修复所有漏洞。我们注意到Dependabot 建议升级到4.1.42.Final,但这个升级后的版本依然受到 "CVE-2021-21295", "CVE-2021-21409", "CVE-2019-20445""CVE-2019-20444", "CVE-2021-37137", "CVE-2021-37136", "CVE-2019-16869", "CVE-2021-21290", "CVE-2020-11612”的影响。我们的升级通过了单元测试,log如下。请考虑我们的建议,谢谢您!