Update Netty to address critical CVEs

Question

Update Netty to address critical CVEs

Opened this issue a year ago · 0 comments

Clouseau shades Netty 3.2.10, which contains
https://nvd.nist.gov/vuln/detail/CVE-2019-20444
https://nvd.nist.gov/vuln/detail/CVE-2019-20445

These both appear to relate to HttpObjectDecoder, which I see no references to in the Clouseau code. Looks like Clouseau only uses the org.jboss.netty.buffer.ChannelBuffer class.

jboss.netty 3.2.10 released in 2013, and has been moved to just netty, and 4.1.91 is the latest with 5.0.0 in pre-release.

Even if not exploitable, there is increasing demand from governments and enterprises to update dependencies regardless.

I'll open a PR and see if a simple version / name change happens to work