CVE-2024-29025

[David-Ongaro]

Following up on #718 (comment) I'd like to ask if a minor release can be cut to get the netty update to 4.1.108.Final in? Or, if you think it's not ready yet, can you do a backport with just this update to the 6.x line?

I'm aware that this CVE is probably hardly relevant for Aleph, but we're getting flagged in our builds because of it.

[KingMob]

@DerGuteMoritz Want to cut a release? IIRC, you haven't done one yet, so maybe this is a good time to show you the process.

I'm aware that this CVE is probably hardly relevant for Aleph

AFAICT, it does impact Aleph's multipart code. (Well, if you're HTTP2-only, it doesn't affect you. The multipart code isn't yet adapted to the HTTP2 code, since there's little need for it in HTTP2, other than for backwards-compatibility.)

[DerGuteMoritz]

@DerGuteMoritz Want to cut a release? IIRC, you haven't done one yet, so maybe this is a good time to show you the process.

Yeah, let's. I meant to wrap up #721 first but it's probably fine to defer that to the release after that one. I just pushed another dependency bump (Netty 4.1.110.Final was released in the meantime): #725 -- with that, I think we're good to go! Will get in touch via Slack with you about the next steps.

[DerGuteMoritz]

@David-Ongaro Alright, a new release is in the making, see #726 -- as you can see, the tests are currently failing on that branch. I think it's flaking but a single retry didn't yet fix it. Unfortunately, I have to leave now and will likely only be able to continue on Monday. If somebody has time to look into the test failures in the meantime, that'd be great 🙏 Otherwise I'll do it on Monday and hopefully push the release then, too! Cheers and thanks for getting the release train started 😄

[David-Ongaro]

I'll do it on Monday and hopefully push the release then, too! Cheers and thanks for getting the release train started 😄

Thanks for the quick turnaround! I wish you a good weekend!

[DerGuteMoritz]

@David-Ongaro 0.8.0 has just been released which bumps Netty to 4.1.110.Final and more (see changelog). Thanks for your patience and keep Alephing 😄