search

twitter / finagle

A fault tolerant, protocol-agnostic RPC system
https://twitter.github.io/finagle
Apache License 2.0
8.77k stars 1.45k forks source link

Update the Netty to latest version (4.1.108.Final) - Vulnerability CVE-2024-29025 #964

Open bebaskar opened 2 months ago

bebaskar commented 2 months ago

Currently Finagle library has Netty version as 4.1.100.Final which is vulnerable with https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3 ( CVE-2024-29025) .

To remove this Netty version should be >= 4.1.108 Final.

Steps to reproduce the behavior:

Scan the docker image with twistcli (https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/tools/twistcli_scan_images)

bebaskar commented 1 month ago

Please can some help to update the netty that fixes the vulnerability