Skip to content

kserve-modelmesh/GHSA-3p8m-j85q-pgmj fix for netty #65428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jamie-albert wants to merge 8 commits into from
Closed

kserve-modelmesh/GHSA-3p8m-j85q-pgmj fix for netty #65428

jamie-albert wants to merge 8 commits into from

Conversation

@jamie-albert
Copy link
Member

@jamie-albert jamie-albert commented Sep 5, 2025

Summary

Fixes GHSA-3p8m-j85q-pgmj netty DoS vulnerability in the Service Mesh ecosystem by updating netty dependencies to version 4.1.125.Final.

Package Updated

  • kserve-modelmesh: Update netty-codec-http2 via pombump-deps, increment epoch to 16

Fix Details

The package now uses netty version 4.1.125.Final which resolves the DoS vulnerability. Epoch increment forces package rebuild to incorporate the security fix.

@jamie-albert
Fix GHSA-3p8m-j85q-pgmj netty vulnerability - Service Mesh family
eceddad 
Update netty dependencies to version 4.1.125.Final:

- kserve-modelmesh: Update netty-codec-http2 via pombump-deps, increment epoch to 16
@jamie-albert jamie-albert changed the title Fix GHSA-3p8m-j85q-pgmj netty vulnerability - Service Mesh family Fix GHSA-3p8m-j85q-pgmj netty vulnerability - kserve packages in os Sep 5, 2025
@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Sep 5, 2025
@jamie-albert
Update pombump-deps.yaml
cbf5005 
Signed-off-by: jamie-albert <[email protected]>
@octo-sts
Copy link
Contributor

octo-sts bot commented Sep 6, 2025

🛑 Build Failed: Compilation

package io.netty.handler.codec.protobuf does not exist

Build Details

Category Details
Build System Maven
Failure Point maven-compiler-plugin:3.8.1:compile (default-compile) on project model-mesh

Root Cause Analysis 🔍

Missing Netty codec dependencies. The compilation fails because required Netty handler packages (io.netty.handler.codec.protobuf and io.netty.handler.codec.base64) are not available in the classpath, even though other Netty dependencies like netty-codec-http2 are present. This suggests an incomplete or missing Netty codec dependency declaration in the Maven project.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: kserve-modelmesh/pombump-properties.yaml

  • create_file (kserve-modelmesh/pombump-properties.yaml)
    Replacement:
properties:
  - property: netty-version
    value: "4.1.124.Final"

Content:

Create new pombump-properties.yaml file

File: kserve-modelmesh.yaml

  • add_pipeline_step (After 'uses: maven/pombump' step)
    Original:
  - uses: maven/pombump

Replacement:

  - uses: maven/pombump

  - uses: maven/pombump
    with:
      patch-file: pombump-properties.yaml

Content:

Add additional pombump step for properties
Click to expand fix analysis

Analysis

Both similar fixes address missing Netty dependencies by updating Netty version properties in pombump configuration files. Fix #0 added a new pombump-properties.yaml file to update netty.version to "4.1.124.Final", while Fix #1 updated an existing pombump-properties.yaml file to change netty-version from "4.1.115.Final" to "4.1.118.Final". The pattern shows that Netty version updates through Maven property management resolves missing Netty package compilation errors. The current failure specifically mentions missing io.netty.handler.codec.protobuf and io.netty.handler.codec.base64 packages, which are part of Netty's codec modules that should be included in a complete Netty dependency set.

Click to expand fix explanation

Explanation

The current build failure is caused by missing Netty codec dependencies (io.netty.handler.codec.protobuf and io.netty.handler.codec.base64) during compilation. Based on the similar fixes, the solution is to update the Netty version through Maven property management using pombump. Creating a pombump-properties.yaml file to set the netty-version property to a newer version (4.1.124.Final) should ensure that all required Netty codec modules are properly included in the classpath. The newer Netty version will contain the complete set of codec handlers that the project requires. This approach follows the exact pattern used in both similar fixes, where Netty version updates resolved missing package compilation errors.

Click to expand alternative approaches

Alternative Approaches

  • Create a pombump-deps.yaml file to explicitly add missing Netty codec dependencies as Maven artifacts
  • Update the existing pom.xml directly to include specific Netty codec dependencies
  • Use a different Netty version like 4.1.118.Final as shown in Fix Add binutils-2.39 configuration #1 instead of 4.1.124.Final

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Sep 6, 2025
@jamie-albert jamie-albert changed the title Fix GHSA-3p8m-j85q-pgmj netty vulnerability - kserve packages in os kserve-modelmesh/GHSA-3p8m-j85q-pgmj fix for netty Sep 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jamie-albert