[ https://issues.apache.org/jira/browse/ARTEMIS-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782306#comment-17782306 ]
Justin Bertram commented on ARTEMIS-4481: ----------------------------------------- For what it's worth, the CVE has been fixed to exclude Netty since it was a false positive. See [here|https://github.com/netty/netty/issues/13665#issuecomment-1788593799]. > CVE-2023-4586 verification > -------------------------- > > Key: ARTEMIS-4481 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4481 > Project: ActiveMQ Artemis > Issue Type: Task > Components: JMS > Affects Versions: 2.31.2 > Reporter: Pawel Veselov > Priority: Major > > I do apologize for bringing this up here, but it's been a nuisance for us for > a while. > There is an open vulnerability, CVE-2023-4586, discussed here: > https://github.com/netty/netty/issues/8537 > https://github.com/netty/netty/issues/13665 > The only reason we are packaging Netty in one of our applications is because > we package Artemis client/server code as well. > Is it possible to get a published statement from the maintainers of this > project that Artemis doesn't use Netty in an unsecure manner, as stated by > this vulnerability report? > That at least will give justification for continuing to suppress this > vulnerability going forward. > Thank you! -- This message was sent by Atlassian Jira (v8.20.10#820010)