You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Brandon Williams (Jira)" <ji...@apache.org> on 2022/05/17 15:30:00 UTC

[jira] [Commented] (CASSANDRA-17633) netty vulnerable to CVE-2022-24823

    [ https://issues.apache.org/jira/browse/CASSANDRA-17633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17538285#comment-17538285 ] 

Brandon Williams commented on CASSANDRA-17633:
----------------------------------------------

From [this page|https://www.cve.org/CVERecord?id=CVE-2022-24823]:

bq. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290.

We already suppress CVE-2021-21290 and a host of others for this HTTP stuff we don't use, so we will suppress this too.

||Branch||Circle||
|[3.0|https://github.com/driftx/cassandra/tree/CASSANDRA-17633-3.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/488/workflows/f558c0b1-6499-4aa0-9e6d-bfc9703dce41]|
|[3.11|https://github.com/driftx/cassandra/tree/CASSANDRA-17633-3.11]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/487/workflows/f5a022f5-c7ec-42a8-9309-65adf11dde92]|
|[4.0|https://github.com/driftx/cassandra/tree/CASSANDRA-17633-4.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/485/workflows/df74b108-6127-4229-b1eb-76d63fb402c9], [j11|https://app.circleci.com/pipelines/github/driftx/cassandra/485/workflows/b2fdc0f6-7601-41af-8f45-48ed5583c8a9]|
|[4.1|https://github.com/driftx/cassandra/tree/CASSANDRA-17633-4.1]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/486/workflows/5971c06f-7b43-44c1-970c-02283b28543b], [j11|https://app.circleci.com/pipelines/github/driftx/cassandra/486/workflows/f7301676-fc59-4d71-b5a0-06be05d899c1]|
|[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-17633-trunk]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/485/workflows/df74b108-6127-4229-b1eb-76d63fb402c9], [j11|https://app.circleci.com/pipelines/github/driftx/cassandra/484/workflows/057192e4-dca7-4fd1-a1c5-7175b8daeec5]|





> netty vulnerable to CVE-2022-24823
> ----------------------------------
>
>                 Key: CASSANDRA-17633
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17633
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Dependencies
>            Reporter: Brandon Williams
>            Assignee: Brandon Williams
>            Priority: Normal
>             Fix For: 3.11.x, 4.0.x, 4.1-beta, 4.1.x
>
>
> {noformat}
> Dependency-Check Failure:
> One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '1.0': 
> netty-all-4.0.44.Final.jar: CVE-2022-24823
> See the dependency-check report for more details.
> {noformat}
> We already have suppressions for 4.0.44 and I suspect this will be another but should be investigated.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org