[fix][sec] Upgrade Netty to 4.1.100 to address CVE-2023-44487 (apache…

…#21397) (cherry picked from commit aae6c71) Conflicts: buildtools/pom.xml distribution/server/src/assemble/LICENSE.bin.txt distribution/shell/src/assemble/LICENSE.bin.txt
datastax · Dec 14, 2023 · c1f5e09 · c1f5e09
1 parent fa0e7dd
commit c1f5e09
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 22 deletions.
diff --git a/buildtools/pom.xml b/buildtools/pom.xml
@@ -47,7 +47,7 @@
     <license-maven-plugin.version>4.1</license-maven-plugin.version>
     <puppycrawl.checkstyle.version>8.37</puppycrawl.checkstyle.version>
     <maven-checkstyle-plugin.version>3.1.2</maven-checkstyle-plugin.version>
-    <netty.version>4.1.94.Final</netty.version>
+    <netty.version>4.1.100.Final</netty.version>
     <guice.version>4.2.3</guice.version>
     <guava.version>32.1.1-jre</guava.version>
     <ant.version>1.10.12</ant.version>

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -265,7 +265,7 @@ The Apache Software License, Version 2.0
     - com.google.code.gson-gson-2.8.9.jar
     - io.gsonfire-gson-fire-1.8.5.jar
  * Guava
-    - com.google.guava-guava-32.1.1-jre.jar
+    - com.google.guava-guava-32.1.2-jre.jar
     - com.google.guava-failureaccess-1.0.1.jar
     - com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
  * J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.3.jar
@@ -307,6 +307,7 @@ The Apache Software License, Version 2.0
     - io.netty-netty-transport-4.1.100.Final.jar
     - io.netty-netty-transport-classes-epoll-4.1.100.Final.jar
     - io.netty-netty-transport-native-epoll-4.1.100.Final-linux-x86_64.jar
+    - io.netty-netty-transport-native-epoll-4.1.100.Final.jar
     - io.netty-netty-transport-native-unix-common-4.1.100.Final.jar
     - io.netty-netty-transport-native-unix-common-4.1.100.Final-linux-x86_64.jar
     - io.netty-netty-tcnative-boringssl-static-2.0.61.Final.jar

diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -326,7 +326,7 @@ The Apache Software License, Version 2.0
  * Gson
     - gson-2.8.9.jar
  * Guava
-    - guava-32.1.1-jre.jar
+    - guava-32.1.2-jre.jar
     - failureaccess-1.0.1.jar
     - listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
  * J2ObjC Annotations -- j2objc-annotations-1.3.jar
@@ -344,22 +344,22 @@ The Apache Software License, Version 2.0
     - commons-text-1.10.0.jar
     - commons-compress-1.21.jar
  * Netty
-    - netty-buffer-4.1.94.Final.jar
-    - netty-codec-4.1.94.Final.jar
-    - netty-codec-dns-4.1.94.Final.jar
-    - netty-codec-http-4.1.94.Final.jar
-    - netty-codec-socks-4.1.94.Final.jar
-    - netty-codec-haproxy-4.1.94.Final.jar
-    - netty-common-4.1.94.Final.jar
-    - netty-handler-4.1.94.Final.jar
-    - netty-handler-proxy-4.1.94.Final.jar
-    - netty-resolver-4.1.94.Final.jar
-    - netty-resolver-dns-4.1.94.Final.jar
-    - netty-transport-4.1.94.Final.jar
-    - netty-transport-classes-epoll-4.1.94.Final.jar
-    - netty-transport-native-epoll-4.1.94.Final-linux-x86_64.jar
-    - netty-transport-native-unix-common-4.1.94.Final.jar
-    - netty-transport-native-unix-common-4.1.94.Final-linux-x86_64.jar
+    - netty-buffer-4.1.100.Final.jar
+    - netty-codec-4.1.100.Final.jar
+    - netty-codec-dns-4.1.100.Final.jar
+    - netty-codec-http-4.1.100.Final.jar
+    - netty-codec-socks-4.1.100.Final.jar
+    - netty-codec-haproxy-4.1.100.Final.jar
+    - netty-common-4.1.100.Final.jar
+    - netty-handler-4.1.100.Final.jar
+    - netty-handler-proxy-4.1.100.Final.jar
+    - netty-resolver-4.1.100.Final.jar
+    - netty-resolver-dns-4.1.100.Final.jar
+    - netty-transport-4.1.100.Final.jar
+    - netty-transport-classes-epoll-4.1.100.Final.jar
+    - netty-transport-native-epoll-4.1.100.Final-linux-x86_64.jar
+    - netty-transport-native-unix-common-4.1.100.Final.jar
+    - netty-transport-native-unix-common-4.1.100.Final-linux-x86_64.jar
     - netty-tcnative-boringssl-static-2.0.61.Final.jar
     - netty-tcnative-boringssl-static-2.0.61.Final-linux-aarch_64.jar
     - netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar
@@ -370,9 +370,9 @@ The Apache Software License, Version 2.0
     - netty-incubator-transport-classes-io_uring-0.0.21.Final.jar
     - netty-incubator-transport-native-io_uring-0.0.21.Final-linux-aarch_64.jar
     - netty-incubator-transport-native-io_uring-0.0.21.Final-linux-x86_64.jar
-    - netty-resolver-dns-classes-macos-4.1.94.Final.jar
-    - netty-resolver-dns-native-macos-4.1.94.Final-osx-aarch_64.jar
-    - netty-resolver-dns-native-macos-4.1.94.Final-osx-x86_64.jar
+    - netty-resolver-dns-classes-macos-4.1.100.Final.jar
+    - netty-resolver-dns-native-macos-4.1.100.Final-osx-aarch_64.jar
+    - netty-resolver-dns-native-macos-4.1.100.Final-osx-x86_64.jar
  * Prometheus client
     - simpleclient-0.16.0.jar
     - simpleclient_log4j2-0.16.0.jar