[ARROW-17850] [Java] Upgrade netty-codec-http dependencies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 9.0.0
Fix Version/s: 10.0.0
Component/s: Java
Labels:
- pull-request-available

External issue URL:
https://github.com/apache/arrow/issues/33068
Language:
- Java

Description

[CVE-2022-24823](https://github.com/advisories/GHSA-269q-hmxg-m83q) reports a security vulnerability for netty-codec-http

Now the version of netty-codec-http in the master branch is 4.1.72.Final, that is unsafe.

The ticket https://issues.apache.org/jira/browse/ARROW-16996 bumps netty-codec to 4.1.78.Final, it didn't bump netty-codec-http.

Can you upgrade the version of netty-codec-http ?

Here is my output of mvn:dependency now:

```bash

[INFO] +- org.apache.arrow:flight-core:jar:9.0.0:compile
[INFO] | +- io.grpc:grpc-netty:jar:1.47.0:compile
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.72.Final:compile
[INFO] | | | - io.netty:netty-codec-http:jar:4.1.72.Final:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.72.Final:runtime
[INFO] | | | - io.netty:netty-codec-socks:jar:4.1.72.Final:runtime
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.10.0:compile
[INFO] | | +- io.perfmark:perfmark-api:jar:0.25.0:runtime
[INFO] | | - io.netty:netty-transport-native-unix-common:jar:4.1.72.Final:compile
[INFO] | +- io.grpc:grpc-core:jar:1.47.0:compile
[INFO] | | +- com.google.android:annotations:jar:4.1.1.4:runtime
[INFO] | | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime
[INFO] | +- io.grpc:grpc-context:jar:1.47.0:compile
[INFO] | +- io.grpc:grpc-protobuf:jar:1.47.0:compile
[INFO] | | +- com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile
[INFO] | | - io.grpc:grpc-protobuf-lite:jar:1.47.0:compile
[INFO] | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.53.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.53.Final:compile
[INFO] | | - io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.53.Final:compile
[INFO] | +- io.netty:netty-handler:jar:4.1.78.Final:compile
[INFO] | | +- io.netty:netty-resolver:jar:4.1.78.Final:compile
[INFO] | | - io.netty:netty-codec:jar:4.1.78.Final:compile
[INFO] | +- io.netty:netty-transport:jar:4.1.78.Final:compile
[INFO] | +- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO] | | - com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | +- io.grpc:grpc-stub:jar:1.47.0:compile
[INFO] | +- com.google.protobuf:protobuf-java:jar:3.21.2:compile
[INFO] | +- io.grpc:grpc-api:jar:1.47.0:compile
[INFO] | - javax.annotation:javax.annotation-api:jar:1.3.2:compile

```

Attachments

Issue Links

links to

GitHub Pull Request #14265

Activity

People

Assignee:: David Dali Susanibar Arce

Reporter:: Hui Yu

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 27/Sep/22 06:20

Updated:: 11/Jan/23 11:56

Resolved:: 28/Sep/22 22:17

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m