You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@arrow.apache.org by "Hui Yu (Jira)" <ji...@apache.org> on 2022/09/27 06:21:00 UTC
[jira] [Created] (ARROW-17850) [Java] Upgrade netty-codec-http dependencies
Hui Yu created ARROW-17850:
------------------------------
Summary: [Java] Upgrade netty-codec-http dependencies
Key: ARROW-17850
URL: https://issues.apache.org/jira/browse/ARROW-17850
Project: Apache Arrow
Issue Type: Bug
Components: Java
Affects Versions: 9.0.0
Reporter: Hui Yu
[CVE-2022-24823]([https://github.com/advisories/GHSA-269q-hmxg-m83q]) reports a security vulnerability for *netty-codec-http*
Now the version of *netty-codec-http* in the master branch is *4.1.72.Final,* that is unsafe.
The ticket [ARROW-16996](https://issues.apache.org/jira/browse/ARROW-16996) bumps *netty-codec* to {*}4.1.78.Final{*}, it didn't bump ** {*}netty-codec-http.{*}{*}{*}
Can you upgrade the version of this depenency ?
Here is my output of mvn:dependency now:
```bash
[INFO] +- org.apache.arrow:flight-core:jar:9.0.0:compile
[INFO] | +- io.grpc:grpc-netty:jar:1.47.0:compile
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.72.Final:compile
[INFO] | | | \- io.netty:netty-codec-http:jar:4.1.72.Final:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.72.Final:runtime
[INFO] | | | \- io.netty:netty-codec-socks:jar:4.1.72.Final:runtime
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.10.0:compile
[INFO] | | +- io.perfmark:perfmark-api:jar:0.25.0:runtime
[INFO] | | \- io.netty:netty-transport-native-unix-common:jar:4.1.72.Final:compile
[INFO] | +- io.grpc:grpc-core:jar:1.47.0:compile
[INFO] | | +- com.google.android:annotations:jar:4.1.1.4:runtime
[INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime
[INFO] | +- io.grpc:grpc-context:jar:1.47.0:compile
[INFO] | +- io.grpc:grpc-protobuf:jar:1.47.0:compile
[INFO] | | +- com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile
[INFO] | | \- io.grpc:grpc-protobuf-lite:jar:1.47.0:compile
[INFO] | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.53.Final:compile
[INFO] | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.53.Final:compile
[INFO] | +- io.netty:netty-handler:jar:4.1.78.Final:compile
[INFO] | | +- io.netty:netty-resolver:jar:4.1.78.Final:compile
[INFO] | | \- io.netty:netty-codec:jar:4.1.78.Final:compile
[INFO] | +- io.netty:netty-transport:jar:4.1.78.Final:compile
[INFO] | +- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO] | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | +- io.grpc:grpc-stub:jar:1.47.0:compile
[INFO] | +- com.google.protobuf:protobuf-java:jar:3.21.2:compile
[INFO] | +- io.grpc:grpc-api:jar:1.47.0:compile
[INFO] | \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)