Vert.x 4.5.7 fixing netty-codec-http form POST OOM CVE-2024-29025

Description

Upgrade Vertx from 4.5.4 to 4.5.7. This indirectly upgrades Netty from 4.1.107.Final to 4.1.108.Final fixing netty-codec-http form POST OOM:

https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
https://www.cve.org/CVERecord?id=CVE-2024-29025

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

defines

SECURITY-101

CVE-2024-29025 - Netty HttpPostRequestDecoder buffer overflow - Analysis of vulnerability

Checklist

hide

Activity

Show:

Julian Ladisch June 5, 2024 at 5:03 PM

edge-rtac 2.7.2 indeed has vertx 4.5.7: https://github.com/folio-org/edge-rtac/blob/v2.7.2/pom.xml#L50

Denis May 31, 2024 at 7:58 AM

Hello @Julian Ladisch
could you please rest/verify the changes on Q Bugfest? The edge-rtac 2.7.2 was deployed by Kitfox. Thank you
cc @Oleksandr Bashtynskyi @Oleksii Petrenko @Charlotte Whitt @Denis Anischenko

Done

Details
Assignee
Julian Ladisch
Reporter
Julian Ladisch
Tester Assignee
Julian Ladisch
Labels
non-testablesecurity
Priority
P2
Development Team
Dreamliner
Fix versions
2.7.2
Release
Quesnelia (R1 2024) Bug Fix
RCA Group
Related dependency upgrade
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created May 25, 2024 at 1:47 PM

Updated June 13, 2024 at 6:34 PM

Resolved May 27, 2024 at 8:37 AM

Configure

TestRail: Cases

TestRail: Runs

Vert.x 4.5.7 fixing netty-codec-http form POST OOM CVE-2024-29025

Description

CSP Request Details

CSP Rejection Details

Potential Workaround

Linked issues

defines

Checklist

Activity

Julian Ladisch June 5, 2024 at 5:03 PM

Denis May 31, 2024 at 7:58 AM

Details

Assignee

Reporter

Tester Assignee

Labels

Priority

Development Team

Fix versions

Release

RCA Group

TestRail: Cases

TestRail: Runs

Flag notifications

Something's gone wrong