diff --git a/ballerina/Ballerina.toml b/ballerina/Ballerina.toml index 6ba420fd0f..c47cbf5536 100644 --- a/ballerina/Ballerina.toml +++ b/ballerina/Ballerina.toml @@ -1,7 +1,7 @@ [package] org = "ballerina" name = "http" -version = "2.8.5" +version = "2.8.6" authors = ["Ballerina"] keywords = ["http", "network", "service", "listener", "client"] repository = "https://github.com/ballerina-platform/module-ballerina-http" @@ -12,8 +12,8 @@ distribution = "2201.5.0" [[platform.java11.dependency]] groupId = "io.ballerina.stdlib" artifactId = "http-native" -version = "2.8.5" -path = "../native/build/libs/http-native-2.8.5.jar" +version = "2.8.6" +path = "../native/build/libs/http-native-2.8.6-SNAPSHOT.jar" [[platform.java11.dependency]] groupId = "io.ballerina.stdlib" @@ -30,56 +30,56 @@ path = "./lib/constraint-native-1.2.0.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-common" -version = "4.1.100.Final" -path = "./lib/netty-common-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-common-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-buffer" -version = "4.1.100.Final" -path = "./lib/netty-buffer-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-buffer-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-transport" -version = "4.1.100.Final" -path = "./lib/netty-transport-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-transport-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-resolver" -version = "4.1.100.Final" -path = "./lib/netty-resolver-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-resolver-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-handler" -version = "4.1.100.Final" -path = "./lib/netty-handler-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-handler-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-codec-http" -version = "4.1.100.Final" -path = "./lib/netty-codec-http-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-codec-http-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-codec" -version = "4.1.100.Final" -path = "./lib/netty-codec-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-codec-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-handler-proxy" -version = "4.1.100.Final" -path = "./lib/netty-handler-proxy-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-handler-proxy-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-codec-http2" -version = "4.1.100.Final" -path = "./lib/netty-codec-http2-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-codec-http2-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "commons-pool.wso2" @@ -90,8 +90,8 @@ path = "./lib/commons-pool-1.5.6.wso2v1.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-transport-native-unix-common" -version = "4.1.100.Final" -path = "./lib/netty-transport-native-unix-common-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-transport-native-unix-common-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "org.bouncycastle" @@ -108,29 +108,29 @@ path = "./lib/bcpkix-jdk18on-1.74.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-tcnative-boringssl-static" -version = "2.0.62.Final" -path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final.jar" +version = "2.0.65.Final" +path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-windows-x86_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-windows-x86_64.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-linux-aarch_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-linux-aarch_64.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-linux-x86_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-linux-x86_64.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-osx-aarch_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-osx-aarch_64.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.62.Final-osx-x86_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.65.Final-osx-x86_64.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-tcnative-classes" -version = "2.0.62.Final" -path = "./lib/netty-tcnative-classes-2.0.62.Final.jar" +version = "2.0.65.Final" +path = "./lib/netty-tcnative-classes-2.0.65.Final.jar" [[platform.java11.dependency]] groupId = "org.jvnet.mimepull" @@ -141,8 +141,8 @@ path = "./lib/mimepull-1.9.11.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-codec-socks" -version = "4.1.100.Final" -path = "./lib/netty-codec-socks-4.1.100.Final.jar" +version = "4.1.108.Final" +path = "./lib/netty-codec-socks-4.1.108.Final.jar" [[platform.java11.dependency]] groupId = "org.jboss.marshalling" diff --git a/ballerina/CompilerPlugin.toml b/ballerina/CompilerPlugin.toml index aaa04bf298..5bb9e3eb5d 100644 --- a/ballerina/CompilerPlugin.toml +++ b/ballerina/CompilerPlugin.toml @@ -3,4 +3,4 @@ id = "http-compiler-plugin" class = "io.ballerina.stdlib.http.compiler.HttpCompilerPlugin" [[dependency]] -path = "../compiler-plugin/build/libs/http-compiler-plugin-2.8.5.jar" +path = "../compiler-plugin/build/libs/http-compiler-plugin-2.8.6-SNAPSHOT.jar" diff --git a/ballerina/Dependencies.toml b/ballerina/Dependencies.toml index 2558614c1e..b9e7718004 100644 --- a/ballerina/Dependencies.toml +++ b/ballerina/Dependencies.toml @@ -76,7 +76,7 @@ modules = [ [[package]] org = "ballerina" name = "http" -version = "2.8.5" +version = "2.8.6" dependencies = [ {org = "ballerina", name = "auth"}, {org = "ballerina", name = "cache"}, diff --git a/changelog.md b/changelog.md index a004b6085d..0d13474576 100644 --- a/changelog.md +++ b/changelog.md @@ -11,6 +11,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - [Expose HTTP connection eviction configurations in the client level](https://github.com/ballerina-platform/ballerina-library/issues/6503) +### Fixed + +- [Address CVE-2024-29025 netty's vulnerability](https://github.com/ballerina-platform/ballerina-library/issues/6242) + ## [2.8.5] - 2024-03-13 ### Changed diff --git a/gradle.properties b/gradle.properties index 494b957d51..428ac7abb3 100644 --- a/gradle.properties +++ b/gradle.properties @@ -4,8 +4,8 @@ version=2.8.6-SNAPSHOT ballerinaLangVersion=2201.5.0 ballerinaTomlParserVersion=1.2.2 commonsLang3Version=3.8.1 -nettyVersion=4.1.100.Final -nettyTcnativeVersion=2.0.62.Final +nettyVersion=4.1.108.Final +nettyTcnativeVersion=2.0.65.Final bouncycastleVersion=1.74 slf4jVersion=1.7.30 jakartaXmlBindVersion=2.3.3 diff --git a/native/src/main/resources/META-INF/native-image/io.ballerina.stdlib/http-native/native-image.properties b/native/src/main/resources/META-INF/native-image/io.ballerina.stdlib/http-native/native-image.properties index ed04421c5c..bffdde3712 100644 --- a/native/src/main/resources/META-INF/native-image/io.ballerina.stdlib/http-native/native-image.properties +++ b/native/src/main/resources/META-INF/native-image/io.ballerina.stdlib/http-native/native-image.properties @@ -19,6 +19,7 @@ Args = --enable-url-protocols=http,https \ --initialize-at-run-time=io.netty.handler.codec.compression.ZstdOptions \ --initialize-at-run-time=io.netty.handler.codec.http2.Http2ServerUpgradeCodec \ --initialize-at-run-time=io.netty.handler.ssl.BouncyCastleAlpnSslUtils \ + --initialize-at-run-time=io.netty.handler.ssl.JdkSslServerContext \ --initialize-at-run-time=io.netty.handler.ssl.OpenSsl \ --initialize-at-run-time=io.netty.handler.ssl.OpenSslPrivateKeyMethod \ --initialize-at-run-time=io.netty.handler.ssl.OpenSslAsyncPrivateKeyMethod \