[
https://issues.apache.org/jira/browse/CASSANDRA-18943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17777318#comment-17777318
]
Brandon Williams commented on CASSANDRA-18943:
----------------------------------------------
This affects netty and the driver, with variance between branches. Here's what
dependency-check looks like:
{quote}
3.0: fail
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
netty-all-4.0.44.Final.jar: CVE-2023-44487
See the dependency-check report for more details.
Total time: 3 minutes 45 seconds
3.11: fail
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
netty-all-4.0.44.Final.jar: CVE-2023-44487
See the dependency-check report for more details.
Total time: 3 minutes 57 seconds
4.0: fail
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
netty-all-4.1.58.Final.jar: CVE-2023-4586, CVE-2023-44487
See the dependency-check report for more details.
Total time: 3 minutes 55 seconds
4.1: fail
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
netty-all-4.1.58.Final.jar: CVE-2023-4586, CVE-2023-44487
See the dependency-check report for more details.
Total time: 4 minutes 22 seconds
5.0: fail
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml:
CVE-2023-4586, CVE-2023-44487
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml:
CVE-2023-4586, CVE-2023-44487
netty-transport-4.1.96.Final.jar: CVE-2023-4586, CVE-2023-44487
See the dependency-check report for more details.
Total time: 3 minutes 39 seconds
trunk: fail
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml:
CVE-2023-4586, CVE-2023-44487
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml:
CVE-2023-4586, CVE-2023-44487
netty-transport-4.1.96.Final.jar: CVE-2023-4586, CVE-2023-44487
{quote}
> http/2 vulnerability: CVE-2023-44487
> ------------------------------------
>
> Key: CASSANDRA-18943
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18943
> Project: Cassandra
> Issue Type: Bug
> Components: Dependencies
> Reporter: Brandon Williams
> Assignee: Brandon Williams
> Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x, 5.x
>
>
> https://nvd.nist.gov/vuln/detail/CVE-2023-44487
> Basically anything using http/2 is covered by this, but we don't use it.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
