You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@arrow.apache.org by "Hui Yu (Jira)" <ji...@apache.org> on 2022/09/27 06:22:00 UTC
[jira] [Updated] (ARROW-17850) [Java] Upgrade netty-codec-http dependencies
[ https://issues.apache.org/jira/browse/ARROW-17850?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hui Yu updated ARROW-17850:
---------------------------
Description:
[CVE-2022-24823]([https://github.com/advisories/GHSA-269q-hmxg-m83q]) reports a security vulnerability for *netty-codec-http*
Now the version of *netty-codec-http* in the master branch is *4.1.72.Final,* that is unsafe.
The ticket https://issues.apache.org/jira/browse/ARROW-16996 bumps *netty-codec* to {*}4.1.78.Final{*}, it didn't bump *netty-codec-http.*
Can you upgrade the version of this depenency ?
Here is my output of mvn:dependency now:
```bash
[INFO] +- org.apache.arrow:flight-core:jar:9.0.0:compile
[INFO] | +- io.grpc:grpc-netty:jar:1.47.0:compile
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.72.Final:compile
[INFO] | | | - io.netty:{*}netty-codec-http{*}:jar:4.1.72.Final:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.72.Final:runtime
[INFO] | | | - io.netty:netty-codec-socks:jar:4.1.72.Final:runtime
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.10.0:compile
[INFO] | | +- io.perfmark:perfmark-api:jar:0.25.0:runtime
[INFO] | | - io.netty:netty-transport-native-unix-common:jar:4.1.72.Final:compile
[INFO] | +- io.grpc:grpc-core:jar:1.47.0:compile
[INFO] | | +- com.google.android:annotations:jar:4.1.1.4:runtime
[INFO] | | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime
[INFO] | +- io.grpc:grpc-context:jar:1.47.0:compile
[INFO] | +- io.grpc:grpc-protobuf:jar:1.47.0:compile
[INFO] | | +- com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile
[INFO] | | - io.grpc:grpc-protobuf-lite:jar:1.47.0:compile
[INFO] | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.53.Final:compile
[INFO] | | - io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.53.Final:compile
[INFO] | +- io.netty:netty-handler:jar:4.1.78.Final:compile
[INFO] | | +- io.netty:netty-resolver:jar:4.1.78.Final:compile
[INFO] | | - io.netty:netty-codec:jar:4.1.78.Final:compile
[INFO] | +- io.netty:netty-transport:jar:4.1.78.Final:compile
[INFO] | +- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO] | | - com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | +- io.grpc:grpc-stub:jar:1.47.0:compile
[INFO] | +- com.google.protobuf:protobuf-java:jar:3.21.2:compile
[INFO] | +- io.grpc:grpc-api:jar:1.47.0:compile
[INFO] | - javax.annotation:javax.annotation-api:jar:1.3.2:compile
```
was:
[CVE-2022-24823]([https://github.com/advisories/GHSA-269q-hmxg-m83q]) reports a security vulnerability for *netty-codec-http*
Now the version of *netty-codec-http* in the master branch is *4.1.72.Final,* that is unsafe.
The ticket [ARROW-16996](https://issues.apache.org/jira/browse/ARROW-16996) bumps *netty-codec* to {*}4.1.78.Final{*}, it didn't bump ** {*}netty-codec-http.{*}{*}{*}
Can you upgrade the version of this depenency ?
Here is my output of mvn:dependency now:
```bash
[INFO] +- org.apache.arrow:flight-core:jar:9.0.0:compile
[INFO] | +- io.grpc:grpc-netty:jar:1.47.0:compile
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.72.Final:compile
[INFO] | | | \- io.netty:netty-codec-http:jar:4.1.72.Final:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.72.Final:runtime
[INFO] | | | \- io.netty:netty-codec-socks:jar:4.1.72.Final:runtime
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.10.0:compile
[INFO] | | +- io.perfmark:perfmark-api:jar:0.25.0:runtime
[INFO] | | \- io.netty:netty-transport-native-unix-common:jar:4.1.72.Final:compile
[INFO] | +- io.grpc:grpc-core:jar:1.47.0:compile
[INFO] | | +- com.google.android:annotations:jar:4.1.1.4:runtime
[INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime
[INFO] | +- io.grpc:grpc-context:jar:1.47.0:compile
[INFO] | +- io.grpc:grpc-protobuf:jar:1.47.0:compile
[INFO] | | +- com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile
[INFO] | | \- io.grpc:grpc-protobuf-lite:jar:1.47.0:compile
[INFO] | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.53.Final:compile
[INFO] | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.53.Final:compile
[INFO] | +- io.netty:netty-handler:jar:4.1.78.Final:compile
[INFO] | | +- io.netty:netty-resolver:jar:4.1.78.Final:compile
[INFO] | | \- io.netty:netty-codec:jar:4.1.78.Final:compile
[INFO] | +- io.netty:netty-transport:jar:4.1.78.Final:compile
[INFO] | +- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO] | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | +- io.grpc:grpc-stub:jar:1.47.0:compile
[INFO] | +- com.google.protobuf:protobuf-java:jar:3.21.2:compile
[INFO] | +- io.grpc:grpc-api:jar:1.47.0:compile
[INFO] | \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
```
> [Java] Upgrade netty-codec-http dependencies
> --------------------------------------------
>
> Key: ARROW-17850
> URL: https://issues.apache.org/jira/browse/ARROW-17850
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
> Affects Versions: 9.0.0
> Reporter: Hui Yu
> Priority: Major
>
> [CVE-2022-24823]([https://github.com/advisories/GHSA-269q-hmxg-m83q]) reports a security vulnerability for *netty-codec-http*
> Now the version of *netty-codec-http* in the master branch is *4.1.72.Final,* that is unsafe.
> The ticket https://issues.apache.org/jira/browse/ARROW-16996 bumps *netty-codec* to {*}4.1.78.Final{*}, it didn't bump *netty-codec-http.*
> Can you upgrade the version of this depenency ?
>
> Here is my output of mvn:dependency now:
> ```bash
> [INFO] +- org.apache.arrow:flight-core:jar:9.0.0:compile
> [INFO] | +- io.grpc:grpc-netty:jar:1.47.0:compile
> [INFO] | | +- io.netty:netty-codec-http2:jar:4.1.72.Final:compile
> [INFO] | | | - io.netty:{*}netty-codec-http{*}:jar:4.1.72.Final:compile
> [INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.72.Final:runtime
> [INFO] | | | - io.netty:netty-codec-socks:jar:4.1.72.Final:runtime
> [INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.10.0:compile
> [INFO] | | +- io.perfmark:perfmark-api:jar:0.25.0:runtime
> [INFO] | | - io.netty:netty-transport-native-unix-common:jar:4.1.72.Final:compile
> [INFO] | +- io.grpc:grpc-core:jar:1.47.0:compile
> [INFO] | | +- com.google.android:annotations:jar:4.1.1.4:runtime
> [INFO] | | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime
> [INFO] | +- io.grpc:grpc-context:jar:1.47.0:compile
> [INFO] | +- io.grpc:grpc-protobuf:jar:1.47.0:compile
> [INFO] | | +- com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile
> [INFO] | | - io.grpc:grpc-protobuf-lite:jar:1.47.0:compile
> [INFO] | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.53.Final:compile
> [INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.53.Final:compile
> [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.53.Final:compile
> [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.53.Final:compile
> [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.53.Final:compile
> [INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.53.Final:compile
> [INFO] | | - io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.53.Final:compile
> [INFO] | +- io.netty:netty-handler:jar:4.1.78.Final:compile
> [INFO] | | +- io.netty:netty-resolver:jar:4.1.78.Final:compile
> [INFO] | | - io.netty:netty-codec:jar:4.1.78.Final:compile
> [INFO] | +- io.netty:netty-transport:jar:4.1.78.Final:compile
> [INFO] | +- com.google.guava:guava:jar:30.1.1-jre:compile
> [INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
> [INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
> [INFO] | | +- org.checkerframework:checker-qual:jar:3.8.0:compile
> [INFO] | | - com.google.j2objc:j2objc-annotations:jar:1.3:compile
> [INFO] | +- io.grpc:grpc-stub:jar:1.47.0:compile
> [INFO] | +- com.google.protobuf:protobuf-java:jar:3.21.2:compile
> [INFO] | +- io.grpc:grpc-api:jar:1.47.0:compile
> [INFO] | - javax.annotation:javax.annotation-api:jar:1.3.2:compile
> ```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)