Skip to content
Snippets Groups Projects

Dependency Bumps - Vulnerabilities

Merged Daniel Scholl (MS] requested to merge vulnerabilities into master

Summary

This merge request updates the version of the core-lib-azure dependency to 2.0.4 in the provider/storage-azure module.

Key Changes

  • The version of the core-lib-azure dependency has been updated from 2.0.3 to 2.0.4 in the pom.xml file.

Security Impact

This update addresses the following security vulnerability:

  • CVE-2025-24970 (HIGH Severity): This vulnerability in the io.netty:netty-handler package (version 4.1.116.Final) used by the provider/storage-azure module has been fixed. The issue involved the SslHandler not correctly validating packets, which could lead to a native crash when using the native SSLEngine.

    • By updating the core-lib-azure dependency to version 2.0.4, this vulnerability has been addressed and mitigated.

Vulnerability Comparison

Fixed Vulnerabilities

HIGH

  • CVE-2025-24970 in io.netty:netty-handler 4.1.116.Final (provider/storage-azure/pom.xml)
Edited by Daniel Scholl (MS]

Merge request reports

Merge request pipeline #308956 failed

Pipeline: Storage

#308957

    Merge request pipeline failed for 78cdf1dd

    5 environments impacted.
    Approved by

    Merged by Daniel Scholl (MS]Daniel Scholl (MS] 2 months ago (Feb 14, 2025 3:33pm UTC)

    Merge details

    • Changes merged into master with 7499211e (commits were squashed).
    • Deleted the source branch.

    Pipeline #309155 failed

    Pipeline failed for 7499211e on master

    10 environments impacted.

    Activity

    Filter activity
    • Approvals
    • Assignees & reviewers
    • Comments (from bots)
    • Comments (from users)
    • Commits & branches
    • Edits
    • Labels
    • Lock status
    • Mentions
    • Merge request status
    • Tracking
    Please register or sign in to reply
    Loading