[jira] [Comment Edited] (CASSANDRA-18812) Investigate and fix CVE-2023-4586

Thu, 31 Aug 2023 02:14:17 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17760806#comment-17760806
 ] 

Stefan Miklosovic edited comment on CASSANDRA-18812 at 8/31/23 9:11 AM:
------------------------------------------------------------------------

[https://ossindex.sonatype.org/vulnerability/CVE-2023-4586?component-type=maven&component-name=io.netty%2Fnetty-handler&utm_source=dependency-check&utm_medium=integration&utm_content=8.3.1]

This is interesting: 

https://github.com/netty/netty/issues/9930#issuecomment-572196335
https://github.com/netty/netty/issues/9930#issuecomment-572201601

we are not setting hostname / port.

https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/SSLFactory.java#L359

I have not dug deep here, I have to admit that, just posting what I see.


was (Author: smiklosovic):
[https://ossindex.sonatype.org/vulnerability/CVE-2023-4586?component-type=maven&component-name=io.netty%2Fnetty-handler&utm_source=dependency-check&utm_medium=integration&utm_content=8.3.1]

This is interesting: 

https://github.com/netty/netty/issues/9930#issuecomment-572196335

we are not setting hostname / port.

https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/SSLFactory.java#L359

I have not dug deep here, I have to admit that, just posting what I see.

> Investigate and fix CVE-2023-4586
> ---------------------------------
>
>                 Key: CASSANDRA-18812
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18812
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Stefan Miklosovic
>            Priority: Normal
>             Fix For: 5.x
>
>         Attachments: dependency-check-report.html
>
>
> CVE-2023-4586 was found by dependency checker on 5.0 / trunk for Netty 4.1.96.
>  
> HTML report is attached.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to