Use gradle constraint to fix CVE-2023-34462 in netty-handler transitive dependency

gatling has a transitive dependency to netty-handler:4.1.92 which has a CVE

I tried to fix this by adding

  gatlingImplementation("io.netty:netty-handler") {
    version {
      strictly "4.1.94.Final"
    }
    because "Fix for CVE-2023-34462"
  }

but it appears this is not enough to overwrite the dependency version.

Is this something that requires a new gatling version? Are there plans to fix this?

but it appears this is not enough to overwrite the dependency version.

How is that so? Please elaborate.

Is this something that requires a new gatling version?

No. This vulnerability is only server side (ClientHello parsing), not client side (Gatling’s use case).

Are there plans to fix this?

Gatling Enterprise already has the upgrade.
We’ll probably have an OSS release at the end of this month.

But dependency management should be the correct solution to forcefully upgrade a transitive dependency version. Then, it’s more of a gradle question than a Gatling and would probably be best answered on a gradle forum.

When running gradle dependencies for the project, it still shows the dependency in the old version, and the overwritten version only appears in the buildClasspath/runtimeClasspath

image

I see, yes. Sorry for the confusion then :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.