[
https://issues.apache.org/jira/browse/CASSJAVA-113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18044548#comment-18044548
]
Bret McGuire commented on CASSJAVA-113:
---------------------------------------
A quick update; we've bumped the Netty version for this change up to 4.1.129 to
bring in some additional lz4 fixes for other CVEs
> Update Netty for driver to 4.1.126.Final
> ----------------------------------------
>
> Key: CASSJAVA-113
> URL: https://issues.apache.org/jira/browse/CASSJAVA-113
> Project: Apache Cassandra Java driver
> Issue Type: Task
> Components: Core
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
> Time Spent: 20m
> Remaining Estimate: 0h
>
> There are various CVE scanners which detect that 4.19.0 which uses Netty
> 4.1.94 contains CVEs. While I do not personally think they are exploitable,
> the scanners will trigger alarm and then it is virtually impossible to
> persuade people looking at these scanners that it is most probably just fine.
> In order to fix this issue, we need to bump Netty version to e.g. 4.1.126. I
> see that in the current trunk it is 4.1.119 so it should be pretty smooth
> bump.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
