[
https://issues.apache.org/jira/browse/ARTEMIS-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782306#comment-17782306
]
Justin Bertram commented on ARTEMIS-4481:
-----------------------------------------
For what it's worth, the CVE has been fixed to exclude Netty since it was a
false positive. See
[here|https://github.com/netty/netty/issues/13665#issuecomment-1788593799].
> CVE-2023-4586 verification
> --------------------------
>
> Key: ARTEMIS-4481
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4481
> Project: ActiveMQ Artemis
> Issue Type: Task
> Components: JMS
> Affects Versions: 2.31.2
> Reporter: Pawel Veselov
> Priority: Major
>
> I do apologize for bringing this up here, but it's been a nuisance for us for
> a while.
> There is an open vulnerability, CVE-2023-4586, discussed here:
> https://github.com/netty/netty/issues/8537
> https://github.com/netty/netty/issues/13665
> The only reason we are packaging Netty in one of our applications is because
> we package Artemis client/server code as well.
> Is it possible to get a published statement from the maintainers of this
> project that Artemis doesn't use Netty in an unsecure manner, as stated by
> this vulnerability report?
> That at least will give justification for continuing to suppress this
> vulnerability going forward.
> Thank you!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
