vertx-web CVE-2022-24823 for vert.x 3.9 and up

CVE-2022-24823 for vert.x 3.9 and up

Open cprasad1 opened this issue 2 years ago • 3 comments

Questions

Hello vert.x team, Is there a plan to update old versions like 3.9 and up to address https://nvd.nist.gov/vuln/detail/CVE-2022-24823? IIUC we just need to bump up the io.netty:netty-codec-http to 4.1.78.Final. I see that it has been bumped up in 4.3, but are there plans to backport this fix?

Version

3.9

Context

I encountered an exception which looks suspicious while ...

Do you have a reproducer?

A reproducer is a simple project hosted on GitHub (or another forge supporting git clone operation) that has a build file that can be executed to reproduce the issue.

Reproducers are very helpful for contributors and will likely help them fixing your bug faster.

Link to github project/gist

Steps to reproduce

Extra

Anything that can be relevant such as OS version, JVM version

Oct 06 '22 21:10 cprasad1

I opened this PR https://github.com/vert-x3/vertx-dependencies/pull/98

Oct 06 '22 21:10 cprasad1

@pmlopes , @vietj can you pls take a look at this ?

Oct 10 '22 22:10 suhas-satish

I'd upgrade to 4.1.82.Final instead that is more recent

Oct 11 '22 07:10 vietj

vertx-web vertx-web copied to clipboard

CVE-2022-24823 for vert.x 3.9 and up

Questions

Version

Context

Do you have a reproducer?

Steps to reproduce

Extra

vertx-web
vertx-web copied to clipboard