git diff: https://github.com/apache/ratis-thirdparty/compare/1.0.9-rc0...1.0.9-rc1 the only change is RATIS-2279 <https://issues.apache.org/jira/browse/RATIS-2279>. Update NOTICE year to 2025 <https://github.com/apache/ratis-thirdparty/commit/4939c3016a1c2242e59f11f701204beef80c35f8>
So Netty is 4.1.119.Final, and gRPC 1.71.0. Wouldn't this combination suffer from the corruption bug? Why not use Netty 4.1.110Final. It has three vulnerabilities but According to https://groups.google.com/g/grpc-io/c/IHI3ytcZHqY/m/pNZEN2G7AAAJ?pli=1, gRPC is not vulnerable to Netty CVE-2025-24970. The other two: CVE-2025-25193, CVE-2024-47535 are only relevant on Windows platform, so Netty 4.1.110.Final should be acceptable. On Mon, Apr 7, 2025 at 11:35 AM Attila Doroszlai <[email protected]> wrote: > > https://github.com/apache/ratis-thirdparty/tree/1.0.9-rc1 > > https://dist.apache.org/repos/dist/dev/ratis/thirdparty/1.0.9/rc1/ > > https://repository.apache.org/content/repositories/orgapacheratis-1166/ > > Starting with my +1. > > * Verified checksum, signature, git hash > * Compared tarball to repo at the given tag > * Built from source, ran unit test > * Verified build result against staged Maven repo > > -Attila >
