Hi. Are there any immediate plans to release a new version of Spring Boot (e.g. Spring Boot 2.4.5) that includes the fix for the following vulnerability in Netty? The advisory says the fix is available in Netty 4.1.61.Final, whereas the latest version of Spring Boot is using 4.1.60.Final (one revision lower).
- https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
- https://github.com/advisories/GHSA-f256-j965-7f32
- https://nvd.nist.gov/vuln/detail/CVE-2021-21409
Confusingly, link 2 lists the severity as low whereas the other two links list the severity as medium.
Comment From: msmsimondean
FYI the Dependency Check plugin for Gradle is flagging this as a build stopping issue when building a codebase that uses Spring Boot 2.4.4. At least it is for me
Comment From: scottfrederick
As noted in the issue template for this project, a semi-automated process will check managed dependencies and upgrade in future releases. Spring Boot 2.4.5 will upgrade to Netty 4.1.63.Final.
Comment From: msmsimondean
@scottfrederick I read You DO NOT need to raise an issue for a managed dependency version upgrade as there's a semi-automatic process for checking managed dependencies for new versions before a release in the new issue template before I raised this issue. I still raised the issue though as this relates to a security vulnerability (which has already been disclosed) and it would good to get a timely fix rather than just wait for whenever the next release of Spring Boot naturally occurs.
Does Spring Boot have a policy for how quickly vulnerability fixes are released?
I also read STOP!! Please don't raise security vulnerabilities here. Head over to https://spring.io/security-policy to learn how to disclose them responsibly in the issue template but that doesn't seem to apply as https://spring.io/security-policy seems to a) only relate to disclosing vulnerabilities and b) vulnerabilities in Spring software itself rather than in third party depdencies of Spring software.
Comment From: scottfrederick
it would good to get a timely fix rather than just wait for whenever the next release of Spring Boot naturally occurs.
Spring Boot releases are planned on a regular cadence and the planned release dates are documented on the milestone page.
As @wilkinsona said in https://github.com/spring-projects/spring-boot/issues/26016#issuecomment-817984579, you don't have to wait for a Spring Boot release to consume a newer version of a managed dependency, so we're not likely to do a special release for an issue like this. The documentation for the appropriate version lists the managed dependency versions and the property you would use to override that version.
Comment From: msmsimondean
Thanks @scottfrederick. I've commented further on #26016. Sorry didn't notice your above link to #26016 at first. The netty.version property approach works with Maven but not Gradle. I'm just about to post a code snippet for Gradle.