Closed neterium closed 1 year ago
we have already upgraded and will release this week.
Note that vertx is not affected by this CVE because we use the Netty class in Vert.x HTTP server request and client responses which are never written to an output. Vert.x HTTP server response and client request are implemented by Vert.x itself instead.
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ vertx-core ---
[INFO] io.vertx:vertx-core:jar:4.3.7-SNAPSHOT
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-handler:jar:4.1.86.Final:compile
[INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | \- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-handler-proxy:jar:4.1.86.Final:compile
[INFO] | \- io.netty:netty-codec-socks:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec-http:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec-http2:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-resolver:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-resolver-dns:jar:4.1.86.Final:compile
[INFO] | \- io.netty:netty-codec-dns:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec-haproxy:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:compile
[INFO] | \- io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:compile
[INFO] | \- io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.14.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.0:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.14.0:compile
Describe the feature
Patchable vulnerability
Contribution
Should upgrade netty to 4.1.86.Final to fix this patchable vulnerability :
https://nvd.nist.gov/vuln/detail/CVE-2022-41915