Bump reactor-bom to 2020.0.24 to fix CVE in reactor-netty

rsocket / rsocket-java

Java implementation of RSocket

http://rsocket.io

Apache License 2.0

2.35k stars 354 forks source link

Bump reactor-bom to 2020.0.24 to fix CVE in reactor-netty #1088

Closed akonarska closed 1 year ago

akonarska commented 1 year ago

The newest release of rsocket, that is1.1.3, is using reactor-bom with version 2020.0.23 that brings in reactor-netty in version 1.0.23. This version is susceptible to CVE-2022-31684. First version of reactor-netty that fixes that is 1.0.24 and is available in 2020.0.24

Please bump the version to fix this.

akonarska commented 1 year ago

Hey @OlegDokuka, any chance 1.1.4 version of rsocket will be released soon to address this vulnerability? Thanks!

akonarska commented 1 year ago

It was addressed in 1.1.4 release