Merge pull request #1321 from dilanSachi/update-netty

Update vulnerable netty version
ballerina-platform · Jun 22, 2023 · e35bf3c · e35bf3c
2 parents 34b8d98 + 76fea80
commit e35bf3c
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 33 deletions.
diff --git a/ballerina/Ballerina.toml b/ballerina/Ballerina.toml
@@ -35,67 +35,67 @@ scope = "testOnly"
 groupId = "io.ballerina.stdlib"
 artifactId = "http-native"
 version = "2.9.0"
-path = "./lib/http-native-2.9.0-20230621-065800-bb69fb5.jar"
+path = "./lib/http-native-2.9.0-20230621-211000-3a0a7fa.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-common"
-version = "4.1.86.Final"
-path = "./lib/netty-common-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-common-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-buffer"
-version = "4.1.86.Final"
-path = "./lib/netty-buffer-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-buffer-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-transport"
-version = "4.1.86.Final"
-path = "./lib/netty-transport-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-transport-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-resolver"
-version = "4.1.86.Final"
-path = "./lib/netty-resolver-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-resolver-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-handler"
-version = "4.1.86.Final"
-path = "./lib/netty-handler-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-handler-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-codec-http"
-version = "4.1.86.Final"
-path = "./lib/netty-codec-http-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-codec-http-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-codec"
-version = "4.1.86.Final"
-path = "./lib/netty-codec-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-codec-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-handler-proxy"
-version = "4.1.86.Final"
-path = "./lib/netty-handler-proxy-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-handler-proxy-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-codec-http2"
-version = "4.1.86.Final"
-path = "./lib/netty-codec-http2-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-codec-http2-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-transport-native-unix-common"
-version = "4.1.86.Final"
-path = "./lib/netty-transport-native-unix-common-4.1.86.Final.jar"
+version = "4.1.94.Final"
+path = "./lib/netty-transport-native-unix-common-4.1.94.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "commons.pool.wso2"
@@ -118,29 +118,29 @@ path = "./lib/bcpkix-jdk15on-1.69.jar"
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-tcnative-classes"
-version = "2.0.54.Final"
-path = "./lib/netty-tcnative-classes-2.0.54.Final.jar"
+version = "2.0.61.Final"
+path = "./lib/netty-tcnative-classes-2.0.61.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-tcnative-boringssl-static"
-version = "2.0.54.Final"
-path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final.jar"
+version = "2.0.61.Final"
+path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-windows-x86_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-windows-x86_64.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-linux-aarch_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-linux-aarch_64.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-linux-x86_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-osx-aarch_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-osx-aarch_64.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-osx-x86_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-osx-x86_64.jar"
 
 [[platform.java11.dependency]]
 groupId = "com.google.protobuf"

diff --git a/changelog.md b/changelog.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Fixed
 - [Add descriptor map to `grpc:Descriptor` and stub initialization](https://github.com/ballerina-platform/ballerina-standard-library/issues/4555)
+- [Address CVE-2023-34462 netty Vulnerability](https://github.com/ballerina-platform/ballerina-standard-library/issues/4602)
 
 ## [1.6.1] - 2023-03-15
 ### Fixed

diff --git a/gradle.properties b/gradle.properties
@@ -10,8 +10,8 @@ slf4jVersion=1.7.30
 protoGoogleCommonsVersion=1.17.0
 protobufJavaVersion=3.20.3
 jknackHandlebarsVersion=4.0.6
-nettyVersion=4.1.86.Final
-nettyTcnativeVersion=2.0.54.Final
+nettyVersion=4.1.94.Final
+nettyTcnativeVersion=2.0.61.Final
 picocliVersion=4.0.1
 githubSpotbugsVersion=4.0.5
 githubJohnrengelmanShadowVersion=5.2.0
@@ -47,7 +47,7 @@ stdlibAuthVersion=2.9.0-20230620-221100-6b88179
 stdlibJwtVersion=2.9.0-20230620-221100-adcdde4
 stdlibOAuth2Version=2.9.0-20230620-214300-9df2b5a
 
-stdlibHttpVersion=2.9.0-20230621-065800-bb69fb5
+stdlibHttpVersion=2.9.0-20230621-211000-3a0a7fa
 
 # Ballerinax Observer
 observeVersion=1.1.0-20230620-193900-57e0c73