You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Jan Busch (Jira)" <se...@james.apache.org> on 2020/04/09 09:59:01 UTC

[jira] [Commented] (JAMES-2208) upgrade netty to netty-all

    [ https://issues.apache.org/jira/browse/JAMES-2208?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17079133#comment-17079133 ] 

Jan Busch commented on JAMES-2208:
----------------------------------

I think an upgrade would still be great since the latest Netty 3 version has some security flaws that are fixed in newer versions of Netty 4, see the attached file [^dependency-check-report.html]

This can make it problematic to use James in contexts with potentially sensitive software or users.

> upgrade netty to netty-all
> --------------------------
>
>                 Key: JAMES-2208
>                 URL: https://issues.apache.org/jira/browse/JAMES-2208
>             Project: James Server
>          Issue Type: Improvement
>          Components: James Core
>    Affects Versions: 3.0.0
>            Reporter: Randymo
>            Priority: Major
>         Attachments: dependency-check-report.html
>
>
> James is currently using the netty dependency 
> <dependency>
>     <groupId>io.netty</groupId>
>     <artifactId>netty</artifactId>
>     <version>3.10.6.Final</version>
> </dependency>
> I think we should upgrade to the newer artifact
> <dependency>
>     <groupId>io.netty</groupId>
>     <artifactId>netty-all</artifactId>
>     <version>4.1.16.Final</version>
> </dependency>



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org