pushy icon indicating copy to clipboard operation
pushy copied to clipboard
verified publisher icon jchambers

Netty vulnerability

Open l3ender opened this issue 4 months ago • 8 comments

The latest version of Pushy (0.15.4) has a vulnerability in the reference version of Netty (4.1.104.Final, see ref):

Image

https://mvnrepository.com/artifact/com.eatthepath/pushy/0.15.4

Discovered as part of https://github.com/jchambers/pushy/issues/1116.

Please update to the latest to resolve the vulnerability. Thank you!

l3ender avatar Sep 04 '25 17:09 l3ender

The netty dependency has been updated to version 4.1.119.Final in the main branch. It seems like all that is needed is to create a new release of pushy. @jchambers

trallarn avatar Sep 05 '25 07:09 trallarn

It appears that 4.1.119.Final also has vulnerabilities: https://mvnrepository.com/artifact/io.netty/netty-codec-http2/4.1.119.Final.

l3ender avatar Sep 05 '25 10:09 l3ender

The vulnerabilities in .119, as I'm reading them, relate to maliciously-crafted HTTP/2 traffic. Pushy does use HTTP/2, but generally only talks to a single trusted source (Apple's servers). I do view this as a thing that should get updated, but also don't view it as an emergency. I'll do a version bump at my next opportunity.

jchambers avatar Sep 05 '25 13:09 jchambers

Thanks, @jchambers! I agree with your assessment: from what I can tell the vulns are when using Netty as a server, not client.

l3ender avatar Sep 06 '25 01:09 l3ender

As long as the Netty dependency is going to be updated, could it be updated and tested with Netty 4.2.6? That latest Netty is a dependency of the Firebase Admin Java SDK (com.google.firebase:firebase-admin), the official library to send Android Notifications, and it would be amazing to not have to think about shading / not have to just be running with 4.2.* hoping all is well 🙏

mohamedhafez avatar Sep 29 '25 15:09 mohamedhafez

Also considering that the interface seems to be stable and this library is used in production by several large companies from my understanding, perhaps a 1.0.0 release is in order to signify to the world that it is indeed production ready? Could be helpful in getting more eyeballs and contributors and such

mohamedhafez avatar Sep 29 '25 15:09 mohamedhafez

As long as the Netty dependency is going to be updated, could it be updated and tested with Netty 4.2.6?

There's a big jump from Netty 4.1 to 4.2, and it's not a matter of just incrementing a version number. That said, I'll look into it, but it'll be a separate effort.

…perhaps a 1.0.0 release is in order to signify to the world that it is indeed production ready? Could be helpful in getting more eyeballs and contributors and such

Again, I think this is an entirely separate issue. There are a number of things I'd like to address before 1.0 (i.e. committing to "stability" in the sense of semantic versioning), and I'll write more about that as a separate discussion.

jchambers avatar Oct 07 '25 13:10 jchambers

If the jump to 4.2 is too big then an update to the latest version 4.1.128 (which is still maintained) would also suffice.

<dependency>
    <groupId>io.netty</groupId>
    <artifactId>netty-codec-http2</artifactId>
    <version>4.1.128.Final</version>
</dependency>

Added a merge request with all the necessary updates.

Lonzak avatar Dec 02 '25 20:12 Lonzak