[
https://issues.apache.org/jira/browse/ARROW-17850?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated ARROW-17850:
-----------------------------------
Labels: pull-request-available (was: )
> [Java] Upgrade netty-codec-http dependencies
> --------------------------------------------
>
> Key: ARROW-17850
> URL: https://issues.apache.org/jira/browse/ARROW-17850
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
> Affects Versions: 9.0.0
> Reporter: Hui Yu
> Assignee: David Dali Susanibar Arce
> Priority: Major
> Labels: pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> [CVE-2022-24823]([https://github.com/advisories/GHSA-269q-hmxg-m83q]) reports
> a security vulnerability for *netty-codec-http*
> Now the version of *netty-codec-http* in the master branch is *4.1.72.Final,*
> that is unsafe.
> The ticket https://issues.apache.org/jira/browse/ARROW-16996 bumps
> *netty-codec* to {*}4.1.78.Final{*}, it didn't bump *netty-codec-http.*
> Can you upgrade the version of *netty-codec-http* ?
>
> Here is my output of mvn:dependency now:
> ```bash
> [INFO] +- org.apache.arrow:flight-core:jar:9.0.0:compile
> [INFO] | +- io.grpc:grpc-netty:jar:1.47.0:compile
> [INFO] | | +- io.netty:netty-codec-http2:jar:4.1.72.Final:compile
> [INFO] | | | - io.netty:{*}netty-codec-http{*}:jar:4.1.72.Final:compile
> [INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.72.Final:runtime
> [INFO] | | | - io.netty:netty-codec-socks:jar:4.1.72.Final:runtime
> [INFO] | | +-
> com.google.errorprone:error_prone_annotations:jar:2.10.0:compile
> [INFO] | | +- io.perfmark:perfmark-api:jar:0.25.0:runtime
> [INFO] | | -
> io.netty:netty-transport-native-unix-common:jar:4.1.72.Final:compile
> [INFO] | +- io.grpc:grpc-core:jar:1.47.0:compile
> [INFO] | | +- com.google.android:annotations:jar:4.1.1.4:runtime
> [INFO] | | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime
> [INFO] | +- io.grpc:grpc-context:jar:1.47.0:compile
> [INFO] | +- io.grpc:grpc-protobuf:jar:1.47.0:compile
> [INFO] | | +-
> com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile
> [INFO] | | - io.grpc:grpc-protobuf-lite:jar:1.47.0:compile
> [INFO] | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.53.Final:compile
> [INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.53.Final:compile
> [INFO] | | +-
> io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.53.Final:compile
> [INFO] | | +-
> io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.53.Final:compile
> [INFO] | | +-
> io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.53.Final:compile
> [INFO] | | +-
> io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.53.Final:compile
> [INFO] | | -
> io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.53.Final:compile
> [INFO] | +- io.netty:netty-handler:jar:4.1.78.Final:compile
> [INFO] | | +- io.netty:netty-resolver:jar:4.1.78.Final:compile
> [INFO] | | - io.netty:netty-codec:jar:4.1.78.Final:compile
> [INFO] | +- io.netty:netty-transport:jar:4.1.78.Final:compile
> [INFO] | +- com.google.guava:guava:jar:30.1.1-jre:compile
> [INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
> [INFO] | | +-
> com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
> [INFO] | | +- org.checkerframework:checker-qual:jar:3.8.0:compile
> [INFO] | | - com.google.j2objc:j2objc-annotations:jar:1.3:compile
> [INFO] | +- io.grpc:grpc-stub:jar:1.47.0:compile
> [INFO] | +- com.google.protobuf:protobuf-java:jar:3.21.2:compile
> [INFO] | +- io.grpc:grpc-api:jar:1.47.0:compile
> [INFO] | - javax.annotation:javax.annotation-api:jar:1.3.2:compile
> ```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
