Merge pull request #1990 from dilanSachi/6.x-expose-timeout-config

[6.x] Update Netty version to resolve CVE-2024-29025
ballerina-platform · May 7, 2024 · 6d854e9 · 6d854e9
2 parents 63b8bb5 + 887faa1
commit 6d854e9
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 38 deletions.
diff --git a/ballerina/Ballerina.toml b/ballerina/Ballerina.toml
@@ -1,7 +1,7 @@
 [package]
 org = "ballerina"
 name = "http"
-version = "2.8.5"
+version = "2.8.6"
 authors = ["Ballerina"]
 keywords = ["http", "network", "service", "listener", "client"]
 repository = "https://github.com/ballerina-platform/module-ballerina-http"
@@ -12,8 +12,8 @@ distribution = "2201.5.0"
 [[platform.java11.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "http-native"
-version = "2.8.5"
-path = "../native/build/libs/http-native-2.8.5.jar"
+version = "2.8.6"
+path = "../native/build/libs/http-native-2.8.6-SNAPSHOT.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.ballerina.stdlib"
@@ -30,56 +30,56 @@ path = "./lib/constraint-native-1.2.0.jar"
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-common"
-version = "4.1.100.Final"
-path = "./lib/netty-common-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-common-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-buffer"
-version = "4.1.100.Final"
-path = "./lib/netty-buffer-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-buffer-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-transport"
-version = "4.1.100.Final"
-path = "./lib/netty-transport-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-transport-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-resolver"
-version = "4.1.100.Final"
-path = "./lib/netty-resolver-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-resolver-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-handler"
-version = "4.1.100.Final"
-path = "./lib/netty-handler-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-handler-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-codec-http"
-version = "4.1.100.Final"
-path = "./lib/netty-codec-http-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-codec-http-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-codec"
-version = "4.1.100.Final"
-path = "./lib/netty-codec-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-codec-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-handler-proxy"
-version = "4.1.100.Final"
-path = "./lib/netty-handler-proxy-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-handler-proxy-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-codec-http2"
-version = "4.1.100.Final"
-path = "./lib/netty-codec-http2-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-codec-http2-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "commons-pool.wso2"
@@ -90,8 +90,8 @@ path = "./lib/commons-pool-1.5.6.wso2v1.jar"
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-transport-native-unix-common"
-version = "4.1.100.Final"
-path = "./lib/netty-transport-native-unix-common-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-transport-native-unix-common-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "org.bouncycastle"
@@ -108,29 +108,29 @@ path = "./lib/bcpkix-jdk18on-1.74.jar"
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-tcnative-boringssl-static"
-version = "2.0.62.Final"
-path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final.jar"
+version = "2.0.65.Final"
+path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-windows-x86_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-windows-x86_64.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-linux-aarch_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-linux-aarch_64.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-linux-x86_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-linux-x86_64.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-osx-aarch_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-osx-aarch_64.jar"
 
 [[platform.java11.dependency]]
-path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-osx-x86_64.jar"
+path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-osx-x86_64.jar"
 
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-tcnative-classes"
-version = "2.0.62.Final"
-path = "./lib/netty-tcnative-classes-2.0.62.Final.jar"
+version = "2.0.65.Final"
+path = "./lib/netty-tcnative-classes-2.0.65.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "org.jvnet.mimepull"
@@ -141,8 +141,8 @@ path = "./lib/mimepull-1.9.11.jar"
 [[platform.java11.dependency]]
 groupId = "io.netty"
 artifactId = "netty-codec-socks"
-version = "4.1.100.Final"
-path = "./lib/netty-codec-socks-4.1.100.Final.jar"
+version = "4.1.108.Final"
+path = "./lib/netty-codec-socks-4.1.108.Final.jar"
 
 [[platform.java11.dependency]]
 groupId = "org.jboss.marshalling"

diff --git a/ballerina/CompilerPlugin.toml b/ballerina/CompilerPlugin.toml
@@ -3,4 +3,4 @@ id = "http-compiler-plugin"
 class = "io.ballerina.stdlib.http.compiler.HttpCompilerPlugin"
 
 [[dependency]]
-path = "../compiler-plugin/build/libs/http-compiler-plugin-2.8.5.jar"
+path = "../compiler-plugin/build/libs/http-compiler-plugin-2.8.6-SNAPSHOT.jar"
diff --git a/ballerina/Dependencies.toml b/ballerina/Dependencies.toml
@@ -76,7 +76,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "http"
-version = "2.8.5"
+version = "2.8.6"
 dependencies = [
 	{org = "ballerina", name = "auth"},
 	{org = "ballerina", name = "cache"},

diff --git a/changelog.md b/changelog.md
@@ -11,6 +11,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 - [Expose HTTP connection eviction configurations in the client level](https://github.com/ballerina-platform/ballerina-library/issues/6503)
 
+### Fixed
+
+- [Address CVE-2024-29025 netty's vulnerability](https://github.com/ballerina-platform/ballerina-library/issues/6242)
+
 ## [2.8.5] - 2024-03-13
 
 ### Changed

diff --git a/gradle.properties b/gradle.properties
@@ -4,8 +4,8 @@ version=2.8.6-SNAPSHOT
 ballerinaLangVersion=2201.5.0
 ballerinaTomlParserVersion=1.2.2
 commonsLang3Version=3.8.1
-nettyVersion=4.1.100.Final
-nettyTcnativeVersion=2.0.62.Final
+nettyVersion=4.1.108.Final
+nettyTcnativeVersion=2.0.65.Final
 bouncycastleVersion=1.74
 slf4jVersion=1.7.30
 jakartaXmlBindVersion=2.3.3

diff --git a/...n/resources/META-INF/native-image/io.ballerina.stdlib/http-native/native-image.properties b/...n/resources/META-INF/native-image/io.ballerina.stdlib/http-native/native-image.properties
@@ -19,6 +19,7 @@ Args =  --enable-url-protocols=http,https \
         --initialize-at-run-time=io.netty.handler.codec.compression.ZstdOptions \
         --initialize-at-run-time=io.netty.handler.codec.http2.Http2ServerUpgradeCodec \
         --initialize-at-run-time=io.netty.handler.ssl.BouncyCastleAlpnSslUtils \
+        --initialize-at-run-time=io.netty.handler.ssl.JdkSslServerContext \
         --initialize-at-run-time=io.netty.handler.ssl.OpenSsl \
         --initialize-at-run-time=io.netty.handler.ssl.OpenSslPrivateKeyMethod \
         --initialize-at-run-time=io.netty.handler.ssl.OpenSslAsyncPrivateKeyMethod \