Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump to Vert.x 4.5.13 and Netty 4.1.118.Final #46194

Merged
merged 1 commit into from
Feb 11, 2025
Merged

Bump to Vert.x 4.5.13 and Netty 4.1.118.Final #46194

merged 1 commit into from
Feb 11, 2025
+4 −4

Conversation

jponge
Copy link
Member

@jponge jponge commented Feb 11, 2025

@jponge
Bump to Vert.x 4.5.13 and Netty 4.1.118.Final

Verified

This commit was signed with the committer’s verified signature.
jglick Jesse Glick
GPG key ID: 1DDA69D94B624311
Verified
Learn about vigilant mode
Loading
Loading status checks…
c07461a 
See https://github.com/vert-x3/wiki/wiki/4.5.13-Release-Notes

Fixes the following CVEs:
- CVE-2025-24970
- CVE-2025-25193
@quarkus-bot quarkus-bot bot added area/dependencies Pull requests that update a dependency file area/netty area/vertx labels Feb 11, 2025
@sberyozkin
Copy link
Member

Hi @jponge Can it be backported to 3.15, and 3.8 ?

@jponge
Copy link
Member Author

jponge commented Feb 11, 2025

I need to have a look, it depends on what the Netty versions are here as Netty has been quite brittle wrt native compilation in their minor upgrades.

@jponge
Copy link
Member Author

jponge commented Feb 11, 2025

3.15 looks easy to do, but I will open a PR instead of just tagging with a backport label (/cc @gsmet)

Next I'll look at 3.8

@jponge
Copy link
Member Author

jponge commented Feb 11, 2025

Update: I was on the wrong reference branch for 3.15, so I need to restart the investigations for 3.15

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Feb 11, 2025
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit c07461a.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

Flaky tests - Develocity

⚙️ JVM Tests - JDK 21

📦 extensions/opentelemetry/deployment

io.quarkus.opentelemetry.deployment.logs.LoggingFrameworkTest.testLog4jLogging - History

  • Expected log to have body <ValueString{Log4j Logging message}> but was <ValueString{RESTEASY004687: Closing a class org.jboss.resteasy.client.jaxrs.engines.ManualClosingApacheHttpClient43Engine$CleanupAction instance for you. Please close clients yourself.}> - org.opentest4j.AssertionFailedError
org.opentest4j.AssertionFailedError: Expected log to have body <ValueString{Log4j Logging message}> but was <ValueString{RESTEASY004687: Closing a class org.jboss.resteasy.client.jaxrs.engines.ManualClosingApacheHttpClient43Engine$CleanupAction instance for you. Please close clients yourself.}>
	at io.quarkus.opentelemetry.deployment.logs.LoggingFrameworkTest.testLog4jLogging(LoggingFrameworkTest.java:95)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at io.quarkus.test.QuarkusUnitTest.runExtensionMethod(QuarkusUnitTest.java:513)
	at io.quarkus.test.QuarkusUnitTest.interceptTestMethod(QuarkusUnitTest.java:427)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)

⚙️ JVM Tests - JDK 17 Windows

📦 independent-projects/resteasy-reactive/server/vertx

org.jboss.resteasy.reactive.server.vertx.test.sse.SseServerTestCase.shouldNotTryToSendToClosedSink - History

  • 1 expectation failed. Response body doesn't match expectation. Expected: "true" Actual: false - java.lang.AssertionError
java.lang.AssertionError: 
1 expectation failed.
Response body doesn't match expectation.
Expected: "true"
  Actual: false

	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)

⚙️ Maven Tests - JDK 17

📦 integration-tests/devmode

io.quarkus.test.devui.DevUIGrpcSmokeTest.testTestService - History

  • Too many recursions, message not returned for id [1755293867] - java.lang.RuntimeException
java.lang.RuntimeException: Too many recursions, message not returned for id [1755293867]
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:164)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
  • Too many recursions, message not returned for id [332609786] - java.lang.RuntimeException
java.lang.RuntimeException: Too many recursions, message not returned for id [332609786]
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:164)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)
	at io.quarkus.devui.tests.DevUIJsonRPCTest.objectResultFromJsonRPC(DevUIJsonRPCTest.java:167)

@gsmet gsmet merged commit 7ff0fcf into quarkusio:main Feb 11, 2025
55 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.19 - main milestone Feb 11, 2025
@matzew
Copy link

matzew commented Feb 11, 2025

Will this be also included in next 3.18 ?

@geoand
Copy link
Contributor

geoand commented Feb 11, 2025

Yes, that's the purpose of the triage/backport label.

@gsmet
Copy link
Member

gsmet commented Feb 11, 2025

@jponge are we using the native SSL engine by default? I.e. are we practically exposed to this CVE?

@jponge
Copy link
Member Author

jponge commented Feb 11, 2025

@gsmet I think @geoand knows better

@geoand
Copy link
Contributor

geoand commented Feb 11, 2025

I am not sure what they mean in the CVE by "native" SSL engine, but just looking at the code in Netty that fixes it, I would say we are using it

@jponge
Copy link
Member Author

jponge commented Feb 11, 2025

3.8 is more complicated, because meanwhile Netty has had internal refactorings that break native compilation. I might need to also bump Vert.x and backport fixes here.

@gsmet
Copy link
Member

gsmet commented Feb 11, 2025

@jponge what I usually recommend is to go through the existing Netty upgrade pull requests.

@gsmet
Copy link
Member

gsmet commented Feb 11, 2025

/cc @sberyozkin @jmartisk for awareness.

@jponge
Copy link
Member Author

jponge commented Feb 11, 2025

Backports:

@gsmet gsmet modified the milestones: 3.19 - main, 3.18.3 Feb 11, 2025
@sberyozkin
Copy link
Member

Thanks @jponge for also providing fixes for 3.15 and 3.8 branches

@DavideD DavideD mentioned this pull request Feb 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geoand geoand

Assignees
No one assigned
Labels
area/dependencies Pull requests that update a dependency file area/netty area/vertx triage/backport-3.15 triage/flaky-test
Projects
None yet
Milestone
3.18.3
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@jponge @sberyozkin @matzew @geoand @gsmet @jmartisk