xxubai commented on PR #3653: URL: https://github.com/apache/amoro/pull/3653#issuecomment-3050944511
> Hello, could you please point out the specific path you used to fix the [CVE-2023-44487](https://github.com/advisories/GHSA-qppj-fm5r-hxr3) vulnerability? The amoro project currently uses jetty and netty to build http server services, and both jetty and netty versions are within the scope of the vulnerability. Your work upgraded the netty version but did not address the jetty version issue. In fact, the [CVE-2023-44487](https://github.com/advisories/GHSA-qppj-fm5r-hxr3) vulnerability was actually fixed in jetty9.4.53.v20231009[1]. The current jetty version of the amoro project is 9.4.51.v20230217. I am worried that your fix is incomplete work. > > [1] https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.53.v20231009  I scanned the CVE's in my local docker and found CVE-2023-44487 no longer exists. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
