[jira] [Updated] (CASSJAVA-113) Update Netty for driver to 4.1.126.Final

Mon, 27 Oct 2025 11:25:08 -0700 


     [ 
https://issues.apache.org/jira/browse/CASSJAVA-113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brad Schoening updated CASSJAVA-113:
------------------------------------
    Description: 
There are various CVE scanners which detect that 4.19.0 which uses Netty 4.1.94 
contains CVEs. While I do not personally think they are exploitable, the 
scanners will trigger alarm and then it is virtually impossible to persuade 
people looking at these scanners that it is most probably just fine.

In order to fix this issue, we need to bump Netty version to e.g. 4.1.126. I 
see that in the current trunk it is 4.1.119 so it should be pretty smooth bump.

  was:
There are various CVE scanners which detect that 4.19.0 which uses Netty 4.1.94 
contains CVEs. While I do not personally think they are exploitable, the 
scanners will trigger alarm and then it is virtually impossible to persuade 
people looking at these scanners that it is most probably just fine.

In order to fix this issue, we need to bump Netty version to e.g. 4.1.26. I see 
that in the current trunk it is 4.1.119 so it should be pretty smooth bump. 


> Update Netty for driver to 4.1.126.Final
> ----------------------------------------
>
>                 Key: CASSJAVA-113
>                 URL: https://issues.apache.org/jira/browse/CASSJAVA-113
>             Project: Apache Cassandra Java driver
>          Issue Type: Task
>          Components: Core
>            Reporter: Stefan Miklosovic
>            Assignee: Stefan Miklosovic
>            Priority: Normal
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> There are various CVE scanners which detect that 4.19.0 which uses Netty 
> 4.1.94 contains CVEs. While I do not personally think they are exploitable, 
> the scanners will trigger alarm and then it is virtually impossible to 
> persuade people looking at these scanners that it is most probably just fine.
> In order to fix this issue, we need to bump Netty version to e.g. 4.1.126. I 
> see that in the current trunk it is 4.1.119 so it should be pretty smooth 
> bump.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to