Poppy: snappy-java 1.1.10.5

Description

The latest Poppy release mod-circulation-storage 17.1.8 comes with snappy-java 1.1.8.1.

Upgrade snappy-java from 1.1.8.1 to 1.1.10.5 fixing these vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2023-34455 Denial of Service (DoS)
https://nvd.nist.gov/vuln/detail/CVE-2023-34453 Integer Overflow or Wraparound
https://nvd.nist.gov/vuln/detail/CVE-2023-34454 Integer Overflow or Wraparound
( https://nvd.nist.gov/vuln/detail/CVE-2023-43642 Allocation of Resources Without Limits or Throttling – affects decompression only, mod-circulation-storage is Kafka producer only and therefore is not affected )

Lessons learnt:

It was forgotten to back-port the RMB/Vert.x upgrade (CIRCSTORE-459) to the Poppy b17.1 release branch. Always upgrade to the officially supported technology versions: https://folio-org.atlassian.net/wiki/spaces/TC/pages/5056300/Poppy

CSP Request Details

1. Describe issue impact on business Data loss because Kafka crashes. 2. What institutions are affected? (field “Effected Institutions” in Jira to be populated) All institutions that use loans, requests or check-ins. Attackers don't advertise which institutions they will attack. 3. What is the workaround if exists? None. 4. What areas will be impacted by fix (i.e. what areas need to be retested) Upgrading the Vert.x software library patch version doesn't need any testing beyond existing unit tests. 5. Brief explanation of technical implementation and the level of effort (in workdays) and technical risk (low/medium/high) Low. Bump Vert.x software library patch version. 6. Brief explanation of testing required and level of effort (in workdays). Provide test plan agreed with by QA Manager and PO. None beyond existing unit tests. 7. What is the roll back plan in case the fix does not work? Downgrade to previous mod-circulation-storage patch version.