[MODSET-10] Vert.x 4.4.6, vertx-lib 3.1.3, Netty 4.1.100.Final, Snakeyaml 2.0 Created: 16/Nov/23  Updated: 07/Dec/23  Resolved: 20/Nov/23

Status: Closed
Project: mod-settings
Components: None
Affects versions: 1.0.1
Fix versions: 1.0.2

Type: Bug Priority: P2
Reporter: Julian Ladisch Assignee: Kurt Nordstrom
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
defines SECURITY-19 CVE-2023-43642 snappy-java DoS. Analy... Approved
Gantt End to Start
has to be done before MODSET-12 mod-settings. Fix version: (Poppy Bug... Closed
Sprint: Thor - Sprint 179, Thor - Sprint 180
Development Team: Thor
Release: Poppy (R2 2023) Bug Fix
RCA Group: Related dependency upgrade

 Description   

Upgrade Vert.x from 4.3.6 to 4.4.6.
Upgrade FOLIO vertx-lib from 3.0.0 to 3.1.3.
These upgrades are upgrades from Orchid versions to Poppy versions.

The Vert.x and vertx-lib upgrades indirectly upgrade netty-codec-http2 from 4.1.85.Final to Netty 4.1.100.Final fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-44487

The Vert.x and vertx-lib upgrades indirectly upgrade netty-codec from 4.1.85.Final to Netty 4.1.100.Final fixing HTTP Response Splitting: https://nvd.nist.gov/vuln/detail/CVE-2022-41915

The Vert.x and vertx-lib upgrades indirectly upgrade netty-handler from 4.1.85.Final to Netty 4.1.100.Final fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-34462

The Vert.x and vertx-lib upgrades indirectly upgrade vertx-web from 4.1.85.Final to Netty 4.1.100.Final fixing Directory Traversal: https://nvd.nist.gov/vuln/detail/CVE-2023-24815

The Vert.x and vertx-lib upgrades indirectly upgrade snakeyaml from 1.32 to 2.0 fixing Arbitrary Code Execution: https://nvd.nist.gov/vuln/detail/CVE-2022-1471 , https://folio-org.atlassian.net/wiki/display/SEC/SnakeYaml+SafeConstructor



 Comments   
Comment by Charlotte Whitt [ 30/Nov/23 ]

Hi Oleksii Petrenko - I notice that Thor had one ticket on your diagram at today's Release meeting.

This work is Awaiting Release, and was resolved on 11/20/2023. Please proceed. 

CC: Kurt Nordstrom 

Comment by Charlotte Whitt [ 06/Dec/23 ]

Hi Oleksii Petrenko - MODSET-12 Closed has been closed, and the release has been announced in the #release channel. Please proceed with deployment.
CC: Kurt Nordstrom

Comment by JenkinsNotifications [ 07/Dec/23 ]

Deployed to the Poppy bf env. Moved status to In bugfix review from status Awaiting deployment. Please proceed with the verification.

Comment by Charlotte Whitt [ 07/Dec/23 ]

Kurt Nordstrom and Charlotte Whitt closed the ticket as done.

Generated at Thu Feb 08 22:31:12 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.