AsyncHttpClient/async-http-client

Request new release to incorporate changes for Netty vulns to pass CVE scans.

a2m8 opened this issue 3 years ago · 1 comments

a2m8 commented 3 years ago

pom.xml is updated but no new releases reflecting the updated dependencies.

https://github.com/AsyncHttpClient/async-http-client/pull/1841/files

CVE-2022-41881 | high | 7.50 | io.netty_netty-codec | 4.1.79 | fixed in 4.1.86 | > 3 months | < 1 hour | -97 | Netty project is an event-driven asynchronous | Yes |
| | | | | | > 3 months ago | | | | network application framework. In versions prior | |
| | | | | | | | | | to 4.1.86.Final, a StackOverflowError can be | |
| | | | | | | | | | raised whe...

hyperxpro commented 3 years ago

Switch to Beta versions or declare the latest version of Netty directly in pom.xml.