[MODSET-10] Vert.x 4.4.6, vertx-lib 3.1.3, Netty 4.1.100.Final, Snakeyaml 2.0 Created: 16/Nov/23 Updated: 07/Dec/23 Resolved: 20/Nov/23 |
|
| Status: | Closed |
| Project: | mod-settings |
| Components: | None |
| Affects versions: | 1.0.1 |
| Fix versions: | 1.0.2 |
| Type: | Bug | Priority: | P2 |
| Reporter: | Julian Ladisch | Assignee: | Kurt Nordstrom |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||
| Sprint: | Thor - Sprint 179, Thor - Sprint 180 | ||||||||||||||||
| Development Team: | Thor | ||||||||||||||||
| Release: | Poppy (R2 2023) Bug Fix | ||||||||||||||||
| RCA Group: | Related dependency upgrade | ||||||||||||||||
| Description |
|
Upgrade Vert.x from 4.3.6 to 4.4.6. The Vert.x and vertx-lib upgrades indirectly upgrade netty-codec-http2 from 4.1.85.Final to Netty 4.1.100.Final fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-44487 The Vert.x and vertx-lib upgrades indirectly upgrade netty-codec from 4.1.85.Final to Netty 4.1.100.Final fixing HTTP Response Splitting: https://nvd.nist.gov/vuln/detail/CVE-2022-41915 The Vert.x and vertx-lib upgrades indirectly upgrade netty-handler from 4.1.85.Final to Netty 4.1.100.Final fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-34462 The Vert.x and vertx-lib upgrades indirectly upgrade vertx-web from 4.1.85.Final to Netty 4.1.100.Final fixing Directory Traversal: https://nvd.nist.gov/vuln/detail/CVE-2023-24815 The Vert.x and vertx-lib upgrades indirectly upgrade snakeyaml from 1.32 to 2.0 fixing Arbitrary Code Execution: https://nvd.nist.gov/vuln/detail/CVE-2022-1471 , https://folio-org.atlassian.net/wiki/display/SEC/SnakeYaml+SafeConstructor |
| Comments |
| Comment by Charlotte Whitt [ 30/Nov/23 ] |
|
Hi Oleksii Petrenko - I notice that Thor had one ticket on your diagram at today's Release meeting. This work is Awaiting Release, and was resolved on 11/20/2023. Please proceed. CC: Kurt Nordstrom |
| Comment by Charlotte Whitt [ 06/Dec/23 ] |
|
Hi Oleksii Petrenko -
|
| Comment by JenkinsNotifications [ 07/Dec/23 ] |
|
Deployed to the Poppy bf env. Moved status to In bugfix review from status Awaiting deployment. Please proceed with the verification. |
| Comment by Charlotte Whitt [ 07/Dec/23 ] |
|
Kurt Nordstrom and Charlotte Whitt closed the ticket as done. |