play-ws icon indicating copy to clipboard operation
play-ws copied to clipboard
verified publisher icon playframework

High Severity Security Vulnerability: sonatype-2021-0789

Open ZachChuba opened this issue 1 year ago • 4 comments

shaded-asynchttpclient-2.2.9.jarplay/shaded/ahc/io/netty/handler/codec/compression/Lz4FrameEncoder.class[4.1.0.Beta2 , 4.1.66.Final) has a high vulnerability related to buffer overflow.

The root cause is an out of date netty transitive dependency. Please upgrade the netty-codec version to one that is not vulnerable

This issue was addressed in netty by: https://github.com/netty/netty/pull/11429

ZachChuba avatar Oct 03 '24 13:10 ZachChuba

Taking a look in the next hours.

mkurz avatar Oct 03 '24 13:10 mkurz

Relevant:

  • #866

mkurz avatar Oct 03 '24 13:10 mkurz

Probably the best thing to do anyway is to backport #866 to the current stable branches. Making sure the shaded libraries are up-to-date is a very good idea in general anyway IMHO. I do not expect anything breaking for play-ws 🤞.

Created https://github.com/playframework/playframework/issues/12893 to not forget about this, will be done soon with next Play patch release.

mkurz avatar Oct 03 '24 19:10 mkurz

Fixed in latest releases:

  • https://github.com/playframework/play-ws/releases/tag/2.2.10
  • https://github.com/playframework/play-ws/releases/tag/3.0.6

Will be part of next Play 3.0.6 and 2.9.6:

  • https://github.com/playframework/playframework/pull/12973
  • https://github.com/playframework/playframework/pull/12974

mkurz avatar Nov 14 '24 12:11 mkurz