Fix CVE-2015-5237, CVE-2024-7254, CVE-2022-3171, CVE-2021-22569, CVE-2021-22570#37888
Fix CVE-2015-5237, CVE-2024-7254, CVE-2022-3171, CVE-2021-22569, CVE-2021-22570#37888terrymanu merged 5 commits intoapache:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR centralizes an exclusion of protobuf-javanano from Netty protobuf codec to address several protobuf-related CVEs, and documents the change in the release notes.
Changes:
- Add a managed
io.netty:netty-codec-protobufdependency with an exclusion forcom.google.protobuf.nano:protobuf-javananoin the rootdependencyManagementPOM. - Update
RELEASE-NOTES.mdto record the CVEs addressed by this change and link to the PR.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pom.xml | Adds a dependencyManagement entry for io.netty:netty-codec-protobuf that excludes protobuf-javanano, ensuring all module usages inherit the exclusion and mitigating the listed CVEs. |
| RELEASE-NOTES.md | Documents the newly fixed CVEs for release 5.5.3, referencing this PR, though the new line currently contains a duplicated “CVE” and a duplicated CVE ID. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
terrymanu
changed the title
terrymanu
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| 1. Fix CVE-2025-55163, CVE-2025-58056, CVE-2025-58057 [#36758](https://github.com/apache/shardingsphere/pull/36758) | ||
| 1. Fix CVE-2025-48924 [#36085](https://github.com/apache/shardingsphere/pull/36085) | ||
| 1. Fix CVE-2024-7254 [#36153](https://github.com/apache/shardingsphere/pull/36153) | ||
| 1. Fix CVE-2015-5237, CVE-2024-7254, CVE-2022-3171, CVE-2021-22569, CVE-2021-22570 [#37888](https://github.com/apache/shardingsphere/pull/37888) |
There was a problem hiding this comment.
This new entry lists CVE-2024-7254 again even though it is already covered by the previous line, which may confuse readers about which PR actually resolves the issue; consider either omitting CVE-2024-7254 here or clarifying how this PR’s fix relates to the earlier one.
| 1. Fix CVE-2015-5237, CVE-2024-7254, CVE-2022-3171, CVE-2021-22569, CVE-2021-22570 [#37888](https://github.com/apache/shardingsphere/pull/37888) | |
| 1. Fix CVE-2015-5237, CVE-2022-3171, CVE-2021-22569, CVE-2021-22570 [#37888](https://github.com/apache/shardingsphere/pull/37888) |
Exclude protobuf-javanano to fix:
https://nvd.nist.gov/vuln/detail/CVE-2015-5237
https://nvd.nist.gov/vuln/detail/CVE-2024-7254
https://nvd.nist.gov/vuln/detail/CVE-2022-3171
https://nvd.nist.gov/vuln/detail/CVE-2021-22569
https://nvd.nist.gov/vuln/detail/CVE-2021-22570