upgrade netty-all to a secure version 升级netty-all以修复漏洞 #178
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hi, io.netty:netty-all:4.0.36.Final has CVEs: CVE-2019-20444, CVE-2019-16869, CVE-2016-4970, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, CVE-2021-21409, CVE-2021-21295, CVE-2019-20445. Would you please consider upgrading it to 4.1.68.Final to fix all these vulnerabilities. We noticed that Dependabot proposed another upgrade, which is still subject to "CVE-2021-21295", "CVE-2021-21409", "CVE-2019-20445""CVE-2019-20444", "CVE-2021-37137", "CVE-2021-37136", "CVE-2019-16869", "CVE-2021-21290", "CVE-2020-11612" after upgrading. We have run the tests, they all passed: ```[INFO] Scanning for projects... [WARNING] [WARNING] Some problems were encountered while building the effective model for org.fengfei:proxy-common:jar:0.1 [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-resources-plugin is missing. @ org.fengfei:lanproxy:0.1, /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/pom.xml, line 57, column 21 [WARNING] [WARNING] Some problems were encountered while building the effective model for org.fengfei:proxy-protocol:jar:0.1 [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-resources-plugin is missing. @ org.fengfei:lanproxy:0.1, /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/pom.xml, line 57, column 21 [WARNING] [WARNING] Some problems were encountered while building the effective model for org.fengfei:lanproxy:pom:0.1 [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-resources-plugin is missing. @ line 57, column 21 [WARNING] [WARNING] It is highly recommended to fix these problems because they threaten the stability of your build. [WARNING] [WARNING] For this reason, future Maven versions might no longer support building such malformed projects. [WARNING] [INFO] ------------------------------------------------------------------------ [INFO] Reactor Build Order: [INFO] [INFO] lanproxy [pom] [INFO] proxy-common [jar] [INFO] proxy-protocol [jar] [INFO] proxy-server [jar] [INFO] proxy-client [jar] [INFO] [INFO] ------------------------< org.fengfei:lanproxy >------------------------ [INFO] Building lanproxy 0.1 [1/5] [INFO] --------------------------------[ pom ]--------------------------------- [INFO] [INFO] ----------------------< org.fengfei:proxy-common >---------------------- [INFO] Building proxy-common 0.1 [2/5] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-common --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-common/src/main/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-common --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-common --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-common/src/test/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-common --- [INFO] No sources to compile [INFO] [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-common --- [INFO] No tests to run. [INFO] [INFO] ---------------------< org.fengfei:proxy-protocol >--------------------- [INFO] Building proxy-protocol 0.1 [3/5] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-protocol --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-protocol/src/main/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-protocol --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-protocol --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-protocol/src/test/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-protocol --- [INFO] No sources to compile [INFO] [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-protocol --- [INFO] No tests to run. [INFO] [INFO] ----------------------< org.fengfei:proxy-server >---------------------- [INFO] Building proxy-server 0.1 [4/5] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-server --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] Copying 6 resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-server --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-server --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] Copying 3 resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-server --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-server --- [INFO] Surefire report directory: /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-server/target/surefire-reports ------------------------------------------------------- T E S T S ------------------------------------------------------- Results : Tests run: 0, Failures: 0, Errors: 0, Skipped: 0 [INFO] [INFO] ----------------------< org.fengfei:proxy-client >---------------------- [INFO] Building proxy-client 0.1 [5/5] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-client --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] Copying 6 resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-client --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-client --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] Copying 3 resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-client --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-client --- [INFO] Surefire report directory: /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-client/target/surefire-reports ------------------------------------------------------- T E S T S ------------------------------------------------------- Results : Tests run: 0, Failures: 0, Errors: 0, Skipped: 0 [INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for lanproxy 0.1: [INFO] [INFO] lanproxy ........................................... SUCCESS [ 0.099 s] [INFO] proxy-common ....................................... SUCCESS [ 1.501 s] [INFO] proxy-protocol ..................................... SUCCESS [ 0.049 s] [INFO] proxy-server ....................................... SUCCESS [ 0.717 s] [INFO] proxy-client ....................................... SUCCESS [ 0.390 s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 2.954 s [INFO] Finished at: 2022-08-31T15:38:41+08:00 [INFO] ------------------------------------------------------------------------``` Thank you for your attentions! 您好,我们发现io.netty:netty-all:4.0.36.Final 有如下漏洞: CVE-2019-20444, CVE-2019-16869, CVE-2016-4970, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, CVE-2021-21409, CVE-2021-21295, CVE-2019-20445。烦请考虑将其升级到4.1.68.Final以修复所有漏洞。我们注意到Dependabot 建议升级到4.1.42.Final,但这个升级后的版本依然受到 "CVE-2021-21295", "CVE-2021-21409", "CVE-2019-20445""CVE-2019-20444", "CVE-2021-37137", "CVE-2021-37136", "CVE-2019-16869", "CVE-2021-21290", "CVE-2020-11612”的影响。我们的升级通过了单元测试,log在上面。请考虑我们的建议,谢谢您!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
hi, io.netty:netty-all:4.0.36.Final has CVEs: CVE-2019-20444, CVE-2019-16869, CVE-2016-4970, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, CVE-2021-21409, CVE-2021-21295, CVE-2019-20445. Would you please consider upgrading it to 4.1.68.Final to fix all these vulnerabilities. We noticed that Dependabot proposed another upgrade, which is still subject to "CVE-2021-21295", "CVE-2021-21409", "CVE-2019-20445""CVE-2019-20444", "CVE-2021-37137", "CVE-2021-37136", "CVE-2019-16869", "CVE-2021-21290", "CVE-2020-11612" after upgrading. We have run the tests, and they all passed.
您好,我们发现io.netty:netty-all:4.0.36.Final 有如下漏洞: CVE-2019-20444, CVE-2019-16869, CVE-2016-4970, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, CVE-2021-21409, CVE-2021-21295, CVE-2019-20445。烦请考虑将其升级到4.1.68.Final以修复所有漏洞。我们注意到Dependabot 建议升级到4.1.42.Final,但这个升级后的版本依然受到 "CVE-2021-21295", "CVE-2021-21409", "CVE-2019-20445""CVE-2019-20444", "CVE-2021-37137", "CVE-2021-37136", "CVE-2019-16869", "CVE-2021-21290", "CVE-2020-11612”的影响。我们的升级通过了单元测试,log如下。请考虑我们的建议,谢谢您!