Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2024-29025 #724

Closed
David-Ongaro opened this issue May 29, 2024 · 5 comments
Closed

CVE-2024-29025 #724

David-Ongaro opened this issue May 29, 2024 · 5 comments

Comments

@David-Ongaro
Copy link
Contributor

Following up on #718 (comment) I'd like to ask if a minor release can be cut to get the netty update to 4.1.108.Final in? Or, if you think it's not ready yet, can you do a backport with just this update to the 6.x line?

I'm aware that this CVE is probably hardly relevant for Aleph, but we're getting flagged in our builds because of it.

@KingMob
Copy link
Collaborator

KingMob commented May 30, 2024

@DerGuteMoritz Want to cut a release? IIRC, you haven't done one yet, so maybe this is a good time to show you the process.

I'm aware that this CVE is probably hardly relevant for Aleph

AFAICT, it does impact Aleph's multipart code. (Well, if you're HTTP2-only, it doesn't affect you. The multipart code isn't yet adapted to the HTTP2 code, since there's little need for it in HTTP2, other than for backwards-compatibility.)

@DerGuteMoritz
Copy link
Collaborator

@DerGuteMoritz Want to cut a release? IIRC, you haven't done one yet, so maybe this is a good time to show you the process.

Yeah, let's. I meant to wrap up #721 first but it's probably fine to defer that to the release after that one. I just pushed another dependency bump (Netty 4.1.110.Final was released in the meantime): #725 -- with that, I think we're good to go! Will get in touch via Slack with you about the next steps.

@DerGuteMoritz
Copy link
Collaborator

@David-Ongaro Alright, a new release is in the making, see #726 -- as you can see, the tests are currently failing on that branch. I think it's flaking but a single retry didn't yet fix it. Unfortunately, I have to leave now and will likely only be able to continue on Monday. If somebody has time to look into the test failures in the meantime, that'd be great 🙏 Otherwise I'll do it on Monday and hopefully push the release then, too! Cheers and thanks for getting the release train started 😄

@David-Ongaro
Copy link
Contributor Author

I'll do it on Monday and hopefully push the release then, too! Cheers and thanks for getting the release train started 😄

Thanks for the quick turnaround! I wish you a good weekend!

@DerGuteMoritz
Copy link
Collaborator

@David-Ongaro 0.8.0 has just been released which bumps Netty to 4.1.110.Final and more (see changelog). Thanks for your patience and keep Alephing 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants