monologuist commented on PR #3653: URL: https://github.com/apache/amoro/pull/3653#issuecomment-3050739734
Hello, could you please point out the specific path you used to fix the CVE-2023-44487 vulnerability? The amoro project currently uses jetty and netty to build http server services, and both jetty and netty versions are within the scope of the vulnerability. Your work upgraded the netty version but did not address the jetty version issue. In fact, the CVE-2023-44487 vulnerability was actually fixed in jetty9.4.53.v20231009[1]. The current jetty version of the amoro project is 9.4.51.v20230217. I am worried that your fix is incomplete work. [1] https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.53.v20231009 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
