Please update netty to v4.1.42 in netty-nio-client

[testphreak]

netty-nio-client dependency in software.amazon.awssdk:kms:jar uses netty v4.1.41 that has a security as described here. A fix for the issue was released 19 days ago with v4.1.42 as described here. Please update netty inside netty-nio-client to the new version.

Steps to Reproduce (for bugs)

mvn dependency:tree

[INFO] +- software.amazon.awssdk:kms:jar:2.9.19:compile
[INFO] |  +- software.amazon.awssdk:aws-json-protocol:jar:2.9.19:compile
[INFO] |  +- software.amazon.awssdk:protocol-core:jar:2.9.19:compile
[INFO] |  +- software.amazon.awssdk:sdk-core:jar:2.9.19:compile
[INFO] |  |  \- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] |  +- software.amazon.awssdk:http-client-spi:jar:2.9.19:compile
[INFO] |  +- software.amazon.awssdk:regions:jar:2.9.19:compile
[INFO] |  +- software.amazon.awssdk:annotations:jar:2.9.19:compile
[INFO] |  +- software.amazon.awssdk:utils:jar:2.9.19:compile
[INFO] |  +- software.amazon.awssdk:apache-client:jar:2.9.19:runtime
[INFO] |  \- software.amazon.awssdk:netty-nio-client:jar:2.9.19:runtime
[INFO] |     +- io.netty:netty-codec-http:jar:4.1.41.Final:runtime
[INFO] |     +- io.netty:netty-codec-http2:jar:4.1.41.Final:runtime
[INFO] |     +- io.netty:netty-codec:jar:4.1.41.Final:runtime
[INFO] |     +- io.netty:netty-transport:jar:4.1.41.Final:runtime
[INFO] |     |  \- io.netty:netty-resolver:jar:4.1.41.Final:runtime
[INFO] |     +- io.netty:netty-common:jar:4.1.41.Final:runtime
[INFO] |     +- io.netty:netty-buffer:jar:4.1.41.Final:runtime
[INFO] |     +- io.netty:netty-handler:jar:4.1.41.Final:runtime
[INFO] |     +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.41.Final:runtime
[INFO] |     |  \- io.netty:netty-transport-native-unix-common:jar:4.1.41.Final:runtime
[INFO] |     \- com.typesafe.netty:netty-reactive-streams-http:jar:2.0.3:runtime
[INFO] |        \- com.typesafe.netty:netty-reactive-streams:jar:2.0.3:runtime

Context

This issue affects us because security scans have been flagging the issue lately as a critical vulnerability. As a result we would like to see the netty version updated as soon as possible.

Your Environment

• AWS Java SDK version used: 2.9.19
• JDK version used: 1.8
• Operating System and version: MacOS 10.14.5

[testphreak]

Hi! When can we expect to see this released?

[spfink]

@testphreak have open #1480 to make this change. Should be released either tomorrow or Wednesday.

[testphreak]

@spfink thank you for the update. If you or your team would like to get ahead on security vulnerabilities in your dependencies and would like to integrate security scans into your development lifecycle, you can use Sonatype's AppScan. That's how we came across this security issue. Maybe there are other tools out there that do something similar.

[dagnir]

Fixed by #1480, released as 2.10.0.

[testphreak]

Nice! Thanks for the update.