hivemq-mqtt-client icon indicating copy to clipboard operation
hivemq-mqtt-client copied to clipboard

Published 20 hours ago verified publisher icon hivemq

Regarding Netty 4.1.48.Final vulnerability

Open endevcy opened this issue 4 years ago • 4 comments

Problem or use case

Hi, I have a question regarding the netty version used in the hivemq-mqtt-client. Currently, hivemq-mqtt-client is netty version using 4.1.48.Final that has some vulnerabilities and the latest version is 4.1.65.Final.

Here is the link to netty vulnerability : https://nvd.nist.gov/vuln/detail/CVE-2021-21290

I found that in develop-2 branch, it's updated to 4.1.60.Final but it was not included in the latest release 1.2.2.

Do you have any plan to update the version and when it will be?

endevcy avatar Jun 03 '21 13:06 endevcy

Hi @endevcy As the hivemq-mqtt-client is a library, you can easily upgrade the dependency yourself. If you build your project with Gradle, you could do the following:

dependencies {
    implementation("com.hivemq:hivemq-mqtt-client:1.2.2")
    implementation(platform("io.netty:netty-bom:4.1.65.Final"))
}

The 2.0.0 release of this library is planned but it is not yet clear when exactly it will happen.

SgtSilvio avatar Jun 04 '21 08:06 SgtSilvio

Hi @SgtSilvio thanks for your quick reply and the information.

I missed this information at first, but the problem is we're using the shaded library with Maven.

Can we assure that updating the netty version will not break any compatibility?

endevcy avatar Jun 04 '21 09:06 endevcy

We have an internal project that uses the hivemq-mqtt-client and netty version 4.1.63.Final without any problems. In general an update to the last number in the netty version will not break compatibility (as long as there is no bug on the netty side). Regarding the shaded version, you currently have 2 options:

  • Use the normal version if you do not have a particular reason to use the shaded version (for example no major version conflicts between dependencies)
  • Build the version yourself for now (not a good idea imho)

SgtSilvio avatar Jun 04 '21 10:06 SgtSilvio

how to upgrade its version in docker image, as there is no source code, only jar file is available

themonaminor avatar Dec 17 '21 10:12 themonaminor

Closing out the issue since it's gone inactive. If anything remains, please feel free to file a new issue anytime.

pglombardo avatar May 23 '23 13:05 pglombardo

Hi all - thanks for pointing this out. Netty has been updated 4.1.99.Final in release 1.3.3 which is building now.

pglombardo avatar Oct 03 '23 08:10 pglombardo