[ https://issues.apache.org/jira/browse/CASSANDRA-18812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17760806#comment-17760806 ]
Stefan Miklosovic edited comment on CASSANDRA-18812 at 8/31/23 9:11 AM: ------------------------------------------------------------------------ [https://ossindex.sonatype.org/vulnerability/CVE-2023-4586?component-type=maven&component-name=io.netty%2Fnetty-handler&utm_source=dependency-check&utm_medium=integration&utm_content=8.3.1] This is interesting: https://github.com/netty/netty/issues/9930#issuecomment-572196335 https://github.com/netty/netty/issues/9930#issuecomment-572201601 we are not setting hostname / port. https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/SSLFactory.java#L359 I have not dug deep here, I have to admit that, just posting what I see. was (Author: smiklosovic): [https://ossindex.sonatype.org/vulnerability/CVE-2023-4586?component-type=maven&component-name=io.netty%2Fnetty-handler&utm_source=dependency-check&utm_medium=integration&utm_content=8.3.1] This is interesting: https://github.com/netty/netty/issues/9930#issuecomment-572196335 we are not setting hostname / port. https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/SSLFactory.java#L359 I have not dug deep here, I have to admit that, just posting what I see. > Investigate and fix CVE-2023-4586 > --------------------------------- > > Key: CASSANDRA-18812 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18812 > Project: Cassandra > Issue Type: Improvement > Reporter: Stefan Miklosovic > Priority: Normal > Fix For: 5.x > > Attachments: dependency-check-report.html > > > CVE-2023-4586 was found by dependency checker on 5.0 / trunk for Netty 4.1.96. > > HTML report is attached. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org