From 96e5306a877d30c8ce855828b61d1caa9db6c21f Mon Sep 17 00:00:00 2001 From: TharmiganK Date: Wed, 21 Jun 2023 18:16:28 +0530 Subject: [PATCH 1/4] Bump netty version to the latest --- gradle.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle.properties b/gradle.properties index 5f228c7414..d69ac38851 100644 --- a/gradle.properties +++ b/gradle.properties @@ -4,8 +4,8 @@ version=2.9.0-SNAPSHOT ballerinaLangVersion=2201.7.0-20230619-175900-bb4e4544 ballerinaTomlParserVersion=1.2.2 commonsLang3Version=3.8.1 -nettyVersion=4.1.86.Final -nettyTcnativeVersion=2.0.54.Final +nettyVersion=4.1.94.Final +nettyTcnativeVersion=2.0.61.Final bouncycastleVersion=1.69 slf4jVersion=1.7.30 jakartaXmlBindVersion=2.3.3 From c06954d9fa3e27d1f7e617764bf05844f2b666c4 Mon Sep 17 00:00:00 2001 From: TharmiganK Date: Wed, 21 Jun 2023 18:31:37 +0530 Subject: [PATCH 2/4] [Automated] Update the native jar versions --- ballerina/Ballerina.toml | 62 ++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/ballerina/Ballerina.toml b/ballerina/Ballerina.toml index 8880df834d..fdd6239316 100644 --- a/ballerina/Ballerina.toml +++ b/ballerina/Ballerina.toml @@ -34,56 +34,56 @@ path = "./lib/constraint-native-1.3.0-20230620-195700-ca941bc.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-common" -version = "4.1.86.Final" -path = "./lib/netty-common-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-common-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-buffer" -version = "4.1.86.Final" -path = "./lib/netty-buffer-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-buffer-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-transport" -version = "4.1.86.Final" -path = "./lib/netty-transport-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-transport-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-resolver" -version = "4.1.86.Final" -path = "./lib/netty-resolver-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-resolver-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-handler" -version = "4.1.86.Final" -path = "./lib/netty-handler-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-handler-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-codec-http" -version = "4.1.86.Final" -path = "./lib/netty-codec-http-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-codec-http-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-codec" -version = "4.1.86.Final" -path = "./lib/netty-codec-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-codec-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-handler-proxy" -version = "4.1.86.Final" -path = "./lib/netty-handler-proxy-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-handler-proxy-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-codec-http2" -version = "4.1.86.Final" -path = "./lib/netty-codec-http2-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-codec-http2-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "commons-pool.wso2" @@ -94,8 +94,8 @@ path = "./lib/commons-pool-1.5.6.wso2v1.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-transport-native-unix-common" -version = "4.1.86.Final" -path = "./lib/netty-transport-native-unix-common-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-transport-native-unix-common-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "org.bouncycastle" @@ -112,29 +112,29 @@ path = "./lib/bcpkix-jdk15on-1.69.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-tcnative-boringssl-static" -version = "2.0.54.Final" -path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final.jar" +version = "2.0.61.Final" +path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-windows-x86_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-windows-x86_64.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-linux-aarch_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-linux-aarch_64.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-linux-x86_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-osx-aarch_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-osx-aarch_64.jar" [[platform.java11.dependency]] -path = "./lib/netty-tcnative-boringssl-static-2.0.54.Final-osx-x86_64.jar" +path = "./lib/netty-tcnative-boringssl-static-2.0.61.Final-osx-x86_64.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-tcnative-classes" -version = "2.0.54.Final" -path = "./lib/netty-tcnative-classes-2.0.54.Final.jar" +version = "2.0.61.Final" +path = "./lib/netty-tcnative-classes-2.0.61.Final.jar" [[platform.java11.dependency]] groupId = "org.jvnet.mimepull" @@ -145,8 +145,8 @@ path = "./lib/mimepull-1.9.11.jar" [[platform.java11.dependency]] groupId = "io.netty" artifactId = "netty-codec-socks" -version = "4.1.86.Final" -path = "./lib/netty-codec-socks-4.1.86.Final.jar" +version = "4.1.94.Final" +path = "./lib/netty-codec-socks-4.1.94.Final.jar" [[platform.java11.dependency]] groupId = "org.jboss.marshalling" From 8521bb40c5152836e07639ced7088a8cec89408b Mon Sep 17 00:00:00 2001 From: TharmiganK Date: Wed, 21 Jun 2023 18:34:13 +0530 Subject: [PATCH 3/4] Fix test error message --- .../http-security-tests/tests/http2_mutual_ssl_test.bal | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ballerina-tests/http-security-tests/tests/http2_mutual_ssl_test.bal b/ballerina-tests/http-security-tests/tests/http2_mutual_ssl_test.bal index 3fd1fd647c..7511b0f5e7 100644 --- a/ballerina-tests/http-security-tests/tests/http2_mutual_ssl_test.bal +++ b/ballerina-tests/http-security-tests/tests/http2_mutual_ssl_test.bal @@ -159,7 +159,8 @@ public function testHttp2MutualSsl4() returns error? { // Without keys - negative test http:Client httpClient = check new ("https://localhost:9204", http2MutualSslClientConf4); http:Response|error resp = httpClient->get("/http2Service/"); - string expectedErrMsg = "SSL connection failed:javax.net.ssl.SSLHandshakeException: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE localhost/127.0.0.1:9204"; + string expectedErrMsg = "SSL connection failed:io.netty.handler.ssl.ReferenceCountedOpenSslEngine$OpenSslHandshakeException" + + ": error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE localhost/127.0.0.1:9204"; if resp is error { test:assertEquals(resp.message(), expectedErrMsg); } else { From 7539e2da0872e6e14c1914ba6e9110a7caa8a1f2 Mon Sep 17 00:00:00 2001 From: TharmiganK Date: Wed, 21 Jun 2023 18:50:32 +0530 Subject: [PATCH 4/4] Update changelog --- changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/changelog.md b/changelog.md index 8526eae905..2ddea89f3e 100644 --- a/changelog.md +++ b/changelog.md @@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Fixed - [Fix parsing query parameters fail when curly braces are provided](https://github.com/ballerina-platform/ballerina-standard-library/issues/4565) +- [Address CVE-2023-34462 netty Vulnerability](https://github.com/ballerina-platform/ballerina-standard-library/issues/4599) ### Changed