-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2024-29025 #724
Comments
@DerGuteMoritz Want to cut a release? IIRC, you haven't done one yet, so maybe this is a good time to show you the process.
AFAICT, it does impact Aleph's multipart code. (Well, if you're HTTP2-only, it doesn't affect you. The multipart code isn't yet adapted to the HTTP2 code, since there's little need for it in HTTP2, other than for backwards-compatibility.) |
Yeah, let's. I meant to wrap up #721 first but it's probably fine to defer that to the release after that one. I just pushed another dependency bump (Netty 4.1.110.Final was released in the meantime): #725 -- with that, I think we're good to go! Will get in touch via Slack with you about the next steps. |
@David-Ongaro Alright, a new release is in the making, see #726 -- as you can see, the tests are currently failing on that branch. I think it's flaking but a single retry didn't yet fix it. Unfortunately, I have to leave now and will likely only be able to continue on Monday. If somebody has time to look into the test failures in the meantime, that'd be great 🙏 Otherwise I'll do it on Monday and hopefully push the release then, too! Cheers and thanks for getting the release train started 😄 |
Thanks for the quick turnaround! I wish you a good weekend! |
@David-Ongaro 0.8.0 has just been released which bumps Netty to 4.1.110.Final and more (see changelog). Thanks for your patience and keep Alephing 😄 |
Following up on #718 (comment) I'd like to ask if a minor release can be cut to get the netty update to 4.1.108.Final in? Or, if you think it's not ready yet, can you do a backport with just this update to the 6.x line?
I'm aware that this CVE is probably hardly relevant for Aleph, but we're getting flagged in our builds because of it.
The text was updated successfully, but these errors were encountered: