Update Netty to address critical CVEs
Opened this issue · 0 comments
bradbm commented
Clouseau shades Netty 3.2.10, which contains
https://nvd.nist.gov/vuln/detail/CVE-2019-20444
https://nvd.nist.gov/vuln/detail/CVE-2019-20445
These both appear to relate to HttpObjectDecoder, which I see no references to in the Clouseau code. Looks like Clouseau only uses the org.jboss.netty.buffer.ChannelBuffer class.
jboss.netty 3.2.10 released in 2013, and has been moved to just netty, and 4.1.91 is the latest with 5.0.0 in pre-release.
Even if not exploitable, there is increasing demand from governments and enterprises to update dependencies regardless.
I'll open a PR and see if a simple version / name change happens to work