Vulnerability in netty-nio-client

Question

Vulnerability in netty-nio-client

DavidCorral94 opened this issue a year ago · 3 comments

Hey there!

Recently, in one of our services, our Dependant Bot triggered an alarm for the following vulnerability netty-handler SniHandler 16MB allocation.

We checked our dependency tree, and it seems the root of this dependency with the problem (io.netty:netty-handler) is io.laserdisc:fs2-aws-s3_2.13:6.0.2. More specifically, it comes from software.amazon.awssdk:netty-nio-client:2.20.90.

I've checked in the Maven Repository, and the most recent one (2.20.132) still have vulnerabilities but are in the tests dependencies.

So, I'm wondering if you are waiting until them fix that vulnerability as well and then release a new version, or what's the plan?

Thanks!

Answer 1 · 2023-08-25T10:12:16.000Z

I believe the Scala Steward already patched this by updating versions in the Dependencies.scala file, but there is no new releases. Are there plans for a new release any time soon?

Thanks!

Answer 2 · 2023-08-29T19:06:15.000Z

released tag 6.0.3

Answer 3 · 2023-08-30T07:21:28.000Z

Thanks, fixed!