From 98b698adc2271ca1d616474cabc3c8ba2081e4ca Mon Sep 17 00:00:00 2001
From: Jason Frame <jason.frame@consensys.net>
Date: Thu, 19 Oct 2023 16:01:36 +1000
Subject: [PATCH] Override the netty dependency to fix CVE-2023-44487 (#932)

---
 CHANGELOG.md                 |  5 +++++
 gradle/owasp-suppression.xml | 12 ------------
 gradle/versions.gradle       | 10 ++++++++--
 3 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f05127d74..2059899e3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## Next version
+
+### Bugs fixed
+- Update netty to fix CVE-2023-44487
+
 ## 23.9.1
 
 ### Breaking Changes
diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
index 8139f5056..90bc4fa57 100644
--- a/gradle/owasp-suppression.xml
+++ b/gradle/owasp-suppression.xml
@@ -1,18 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
-    <suppress until="2023-12-12">
-        <notes><![CDATA[
-        Temporary suppression, as it's arguably a false positive: https://github.com/netty/netty/issues/8537#issuecomment-1527896917
-        The correct thing to do is ensure hostname verification is enabled: https://codetinkering.com/enable-hostname-verification-netty/
-        This is indeed the case for Azure, which is the netty-handler: https://github.com/Azure/azure-sdk-for-java/issues/18286#issuecomment-947958978
-        Also see: https://github.com/jeremylong/DependencyCheck/issues/5912
-        The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
-        file name: netty-handler-4.1.97.Final.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.netty/netty*@*.*$</packageUrl>
-        <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
-     </suppress>
     <suppress until="2023-12-16">
         <notes><![CDATA[
         Suppress CVE-2023-36415 as this should only be applicable on version up to but excluding 1.10.2.
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
index e336266d9..a3329bd6d 100644
--- a/gradle/versions.gradle
+++ b/gradle/versions.gradle
@@ -184,12 +184,18 @@ dependencyManagement {
     // addresses CVE-2023-3635
     dependency 'com.squareup.okio:okio:3.4.0'
 
-    // addressing CVE-2022-41881, CVE-2022-41915, CVE-2023-34462
-    dependencySet(group: 'io.netty', version: '4.1.97.Final') {
+    // addressing CVE-2023-44487
+    dependencySet(group: 'io.netty', version: '4.1.100.Final') {
       entry 'netty-all'
+      entry 'netty-codec-http2'
       entry 'netty-handler'
+      entry 'netty-handler-proxy'
       entry 'netty-resolver-dns'
       entry 'netty-transport'
+      entry 'netty-transport-classes-epoll'
+      entry 'netty-transport-classes-kqueue'
+      entry 'netty-transport-native-epoll'
+      entry 'netty-transport-native-kqueue'
       entry 'netty-resolver-dns-native-macos'
     }