From 9b88e2319b2d148e54a48052ab967157042c26b6 Mon Sep 17 00:00:00 2001 From: zly123987123 Date: Wed, 31 Aug 2022 15:50:00 +0800 Subject: [PATCH] =?UTF-8?q?upgrade=20netty-all=20to=20a=20secure=20version?= =?UTF-8?q?=20=E5=8D=87=E7=BA=A7netty-all=E4=BB=A5=E4=BF=AE=E5=A4=8D?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit hi, io.netty:netty-all:4.0.36.Final has CVEs: CVE-2019-20444, CVE-2019-16869, CVE-2016-4970, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, CVE-2021-21409, CVE-2021-21295, CVE-2019-20445. Would you please consider upgrading it to 4.1.68.Final to fix all these vulnerabilities. We noticed that Dependabot proposed another upgrade, which is still subject to "CVE-2021-21295", "CVE-2021-21409", "CVE-2019-20445""CVE-2019-20444", "CVE-2021-37137", "CVE-2021-37136", "CVE-2019-16869", "CVE-2021-21290", "CVE-2020-11612" after upgrading. We have run the tests, they all passed: ```[INFO] Scanning for projects... [WARNING] [WARNING] Some problems were encountered while building the effective model for org.fengfei:proxy-common:jar:0.1 [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-resources-plugin is missing. @ org.fengfei:lanproxy:0.1, /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/pom.xml, line 57, column 21 [WARNING] [WARNING] Some problems were encountered while building the effective model for org.fengfei:proxy-protocol:jar:0.1 [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-resources-plugin is missing. @ org.fengfei:lanproxy:0.1, /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/pom.xml, line 57, column 21 [WARNING] [WARNING] Some problems were encountered while building the effective model for org.fengfei:lanproxy:pom:0.1 [WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-resources-plugin is missing. @ line 57, column 21 [WARNING] [WARNING] It is highly recommended to fix these problems because they threaten the stability of your build. [WARNING] [WARNING] For this reason, future Maven versions might no longer support building such malformed projects. [WARNING] [INFO] ------------------------------------------------------------------------ [INFO] Reactor Build Order: [INFO] [INFO] lanproxy [pom] [INFO] proxy-common [jar] [INFO] proxy-protocol [jar] [INFO] proxy-server [jar] [INFO] proxy-client [jar] [INFO] [INFO] ------------------------< org.fengfei:lanproxy >------------------------ [INFO] Building lanproxy 0.1 [1/5] [INFO] --------------------------------[ pom ]--------------------------------- [INFO] [INFO] ----------------------< org.fengfei:proxy-common >---------------------- [INFO] Building proxy-common 0.1 [2/5] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-common --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-common/src/main/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-common --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-common --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-common/src/test/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-common --- [INFO] No sources to compile [INFO] [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-common --- [INFO] No tests to run. [INFO] [INFO] ---------------------< org.fengfei:proxy-protocol >--------------------- [INFO] Building proxy-protocol 0.1 [3/5] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-protocol --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-protocol/src/main/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-protocol --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-protocol --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-protocol/src/test/resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-protocol --- [INFO] No sources to compile [INFO] [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-protocol --- [INFO] No tests to run. [INFO] [INFO] ----------------------< org.fengfei:proxy-server >---------------------- [INFO] Building proxy-server 0.1 [4/5] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-server --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] Copying 6 resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-server --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-server --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] Copying 3 resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-server --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-server --- [INFO] Surefire report directory: /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-server/target/surefire-reports ------------------------------------------------------- T E S T S ------------------------------------------------------- Results : Tests run: 0, Failures: 0, Errors: 0, Skipped: 0 [INFO] [INFO] ----------------------< org.fengfei:proxy-client >---------------------- [INFO] Building proxy-client 0.1 [5/5] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ proxy-client --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] Copying 6 resources [INFO] [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ proxy-client --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ proxy-client --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] Copying 3 resources [INFO] [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ proxy-client --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ proxy-client --- [INFO] Surefire report directory: /Users/lyuye/workspace/remediation/real_pr_repos/lanproxy/proxy-client/target/surefire-reports ------------------------------------------------------- T E S T S ------------------------------------------------------- Results : Tests run: 0, Failures: 0, Errors: 0, Skipped: 0 [INFO] ------------------------------------------------------------------------ [INFO] Reactor Summary for lanproxy 0.1: [INFO] [INFO] lanproxy ........................................... SUCCESS [ 0.099 s] [INFO] proxy-common ....................................... SUCCESS [ 1.501 s] [INFO] proxy-protocol ..................................... SUCCESS [ 0.049 s] [INFO] proxy-server ....................................... SUCCESS [ 0.717 s] [INFO] proxy-client ....................................... SUCCESS [ 0.390 s] [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 2.954 s [INFO] Finished at: 2022-08-31T15:38:41+08:00 [INFO] ------------------------------------------------------------------------``` Thank you for your attentions! 您好,我们发现io.netty:netty-all:4.0.36.Final 有如下漏洞: CVE-2019-20444, CVE-2019-16869, CVE-2016-4970, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, CVE-2021-21409, CVE-2021-21295, CVE-2019-20445。烦请考虑将其升级到4.1.68.Final以修复所有漏洞。我们注意到Dependabot 建议升级到4.1.42.Final,但这个升级后的版本依然受到 "CVE-2021-21295", "CVE-2021-21409", "CVE-2019-20445""CVE-2019-20444", "CVE-2021-37137", "CVE-2021-37136", "CVE-2019-16869", "CVE-2021-21290", "CVE-2020-11612”的影响。我们的升级通过了单元测试,log在上面。请考虑我们的建议,谢谢您! --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 264ce4c6..78b64cd6 100644 --- a/pom.xml +++ b/pom.xml @@ -17,7 +17,7 @@ io.netty netty-all - 4.0.36.Final + 4.1.86.Final org.slf4j