Could you help upgrade the vulnerble dependency in com.twitter:finagle-mux?

[HelenParr]

Hi, @mariusae, @kevinoliver, I'd like to report a vulnerable dependency issue in com.twitter:finagle-mux_2.13:22.3.0.

Issue Description

I noticed that com.twitter:finagle-mux_2.13:22.3.0 directly depends on org.lz4:lz4-java:1.6.0 in the pom. As shown in the following dependency graph. However, org.lz4:lz4-java:1.6.0 sufferes from the vulnerability which the C library lz4(version:1.9.1) exposed, containing a high severity CVE: CVE-2019-17543.

Dependency Graph between Java and Shared Libraries

Suggested Vulnerability Patch Versions

org.lz4:lz4-java:1.7.0 (>=1.7.0) has upgraded the vulnerable C library lz4 to the patch version 1.9.2.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~ Best regards, Helen Parr

[xin301x]

这是来自QQ邮箱的假期自动回复邮件。   您好，我最近正在休假中，无法亲自回复您的邮件。我将在假期结束后，尽快给您回复。

[jyanJing]

Hi @HelenParr, thank you for reporting this issue, when I clicked to the link you posted on the CVE, it said "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.". It might worth waiting for the result before we attempt an upgrade so we could understand the root cause of the vulnerability. What do you think?

[HelenParr]

Dear @jyanJing , thanks for your help. I understand.

[mosesn]

This is easy enough, so we're going to do it.

[mosesn]

This was done, thanks for filing the ticket https://github.com/twitter/finagle/commit/305c467c2ba8f72b2ada012b592b000b961809a4