Skip to content

Commit

Permalink
SIP2-178: Vert.x 4.4.6 fixing Netty HTTP/2 DoS (CVE-2023-44487)
Browse files Browse the repository at this point in the history
Upgrade Vert.x from 4.3.4 to 4.4.6. This indirectly upgrades Netty
from 4.1.82.Final to 4.1.100.Final fixing HTTP/2 Denial of Service (DoS):
https://nvd.nist.gov/vuln/detail/CVE-2023-44487

log4j-bom must be listed before vertx-stack-depchain in <dependencyManagement>
so that log4j-bom overwrites the log4j versions from vertx-stack-depchain;
otherwise version mismatches result in class not found exceptions.

For log4j 2.19.0 log4j-slf4j-impl won't work, only log4j-slf4j2-impl.

(cherry picked from commit ef503fb)
  • Loading branch information
julianladisch committed Nov 4, 2023
1 parent 078d789 commit 844cd45
Showing 1 changed file with 9 additions and 9 deletions.
18 changes: 9 additions & 9 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<exec.mainClass>org.folio.edge.sip2.MainVerticle</exec.mainClass>
<vertx.version>4.3.4</vertx.version>
<vertx.version>4.4.6</vertx.version>
<log4j2.version>2.19.0</log4j2.version>
<micrometer.version>1.9.4</micrometer.version>
<maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version>
Expand All @@ -51,6 +51,13 @@

<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>${log4j2.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>io.vertx</groupId>
<artifactId>vertx-stack-depchain</artifactId>
Expand All @@ -72,13 +79,6 @@
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>${log4j2.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-bom</artifactId>
Expand Down Expand Up @@ -122,7 +122,7 @@
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<artifactId>log4j-slf4j2-impl</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
Expand Down

0 comments on commit 844cd45

Please sign in to comment.