High Severity Security Vulnerability: sonatype-2021-0789

[ZachChuba]

shaded-asynchttpclient-2.2.9.jarplay/shaded/ahc/io/netty/handler/codec/compression/Lz4FrameEncoder.class[4.1.0.Beta2 , 4.1.66.Final) has a high vulnerability related to buffer overflow.

The root cause is an out of date netty transitive dependency. Please upgrade the netty-codec version to one that is not vulnerable

This issue was addressed in netty by: netty/netty#11429

[mkurz]

Taking a look in the next hours.

[mkurz]

Relevant:

• Use latest netty-reactive-streams version, ahc comes with outdated one #866

[mkurz]

Probably the best thing to do anyway is to backport #866 to the current stable branches. Making sure the shaded libraries are up-to-date is a very good idea in general anyway IMHO. I do not expect anything breaking for play-ws 🤞.

Created playframework/playframework#12893 to not forget about this, will be done soon with next Play patch release.

[mkurz]

Fixed in latest releases:

• https://github.com/playframework/play-ws/releases/tag/2.2.10
• https://github.com/playframework/play-ws/releases/tag/3.0.6

Will be part of next Play 3.0.6 and 2.9.6:

• [2.9.x] play-ws 2.2.10 playframework#12973
• [3.0.x] play-ws 3.0.6 playframework#12974