ztzg opened a new pull request, #2118:
URL: https://github.com/apache/zookeeper/pull/2118
This merge request addresses the following `dependency-check:check` report:
jetty-io-9.4.52.v20230823.jar: CVE-2023-44487(7.5), CVE-2023-36478(7.5)
jetty-server-9.4.52.v20230823.jar: CVE-2023-44487(7.5),
CVE-2023-36478(7.5)
logback-core-1.2.10.jar: CVE-2023-6378(7.5)
netty-transport-4.1.94.Final.jar: CVE-2023-44487(7.5)
I realized that there were existing contributions for these CVEs:
* https://github.com/apache/zookeeper/pull/2082, "Update Netty from 4.1.94
to 4.1.100"
* https://github.com/apache/zookeeper/pull/2098, "ZOOKEEPER-4778: Patch
CVE-2023-6378, CVE-2023-44487, CVE-2023-36478";
This one credits them, but replaces them, as:
* It bumps Netty to version 4.1.105.Final;
* It also updates the `LICENSE.txt` files.
Jetty is updated to version 9.4.53.v20231009, and Logback to 1.2.13, as with
the other two requests.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
