[ https://issues.apache.org/jira/browse/OLINGO-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989886#comment-16989886 ]
mibo commented on OLINGO-1414: ------------------------------ After a quick check I agree that the {{io.netty:netty-codec-http}} which is used in Olingo is truly affected, see fix: https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 The update of netty will be done soon. As mitigation you can add {{netty-codec-http}} together with olingo in your pom.xml. {code} <dependency> <groupId>io.netty</groupId> <artifactId>netty-codec-http</artifactId> <version>4.1.42.Final</version> </dependency> {code} > Dependency check fails on 4.7.0 : CVE-2019-16869 on Netty > --------------------------------------------------------- > > Key: OLINGO-1414 > URL: https://issues.apache.org/jira/browse/OLINGO-1414 > Project: Olingo > Issue Type: Improvement > Affects Versions: (Java) V4 4.7.0 > Reporter: Hans Pikkemaat > Assignee: mibo > Priority: Blocker > Labels: security > Attachments: > 0001-OLINGO-1414-Update-to-netty-4.1.42.Final-to-prevent-.patch > > > In release 4.7.0 Netty 4.1.39.Final is used. > This contains a vulnerability : > [CVE-2019-16869|https://nvd.nist.gov/vuln/detail/CVE-2019-16869] > This issues has been solved in 4.1.42.Final > > -- This message was sent by Atlassian Jira (v8.3.4#803005)