[
https://issues.apache.org/jira/browse/OLINGO-1493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17232395#comment-17232395
]
Norman commented on OLINGO-1493:
--------------------------------
Hi Michael,
Thank you for the update and your efforts.
Looking forward to the updated version.
Let me know if I can help.
Bests Norman
> Security Vulnerabilities in direct dependency netty-codec-http
> --------------------------------------------------------------
>
> Key: OLINGO-1493
> URL: https://issues.apache.org/jira/browse/OLINGO-1493
> Project: Olingo
> Issue Type: Bug
> Components: odata4-server
> Affects Versions: (Java) V4 4.7.1
> Reporter: Norman
> Assignee: mibo
> Priority: Major
>
> Dear Olingo Community,
> odata-server-api and odata-server-core 4.7.1 have a direct dependency on
> io.netty *netty-codec-http 4.1.43.Final*
> This version has known security vulnerabilities ranked with medium and high
> CVSS score.
> See:
> https://snyk.io/vuln/SNYK-JAVA-IONETTY-1020439 -> fixed in 4.1.53Final or
> higher
> https://snyk.io/vuln/SNYK-JAVA-IONETTY-543669 -> fixed in 4.1.44.Final or
> higher
> https://snyk.io/vuln/SNYK-JAVA-IONETTY-543490 -> fixed in 4.1.44.Final or
> higher
> Upgrading the dependency to 4.1.53Final would fix the issue.
>
> P.S. com.fasterxml.jackson.core » jackson-core 2.10.0 is outdated, too and
> could be upgraded to 2.11.3
>
> Additional Links:
> https://mvnrepository.com/artifact/org.apache.olingo/odata-server-core/4.7.1
> https://mvnrepository.com/artifact/org.apache.olingo/odata-server-api/4.7.1
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
