[GHSA-rwm7-x88c-3g2p] Netty epoll transport denial of service via RST on half-closed TCP connection#7621
Conversation
|
Hi there @chrisvest! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
#7620 has the right fix - closing in favour of that |
There was a problem hiding this comment.
Pull request overview
Updates the OSV advisory for GHSA-rwm7-x88c-3g2p (Netty epoll transport DoS) to better model affected Maven artifacts/versions so downstream tooling (e.g., Dependabot) can evaluate vulnerability status correctly.
Changes:
- Adds a second
affectedentry forio.netty:netty-transport-native-epollintended to represent an additional fixed line (4.1.x). - Declares
4.1.133.Finalas the fix version for that additional affected entry.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "io.netty:netty-transport-native-epoll" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "4.1.133.Final" | ||
| } | ||
| ] |
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "4.1.133.Final" | ||
| } |
Updates
Comments
netty/netty#16689 says that 4.1.113.Final has the fix. This CVE/GHSA is currently making dependabot treat 4.1.113.Final as having a CVE.