[GHSA-q4h9-7rxj-7gx2] Netty vulnerability included in redis lettuce #5113
Conversation
|
Hi there @tishun! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
seanwalbran/advisory-improvement-5113
| @@ -3,14 +3,12 @@ | |||
| "id": "GHSA-q4h9-7rxj-7gx2", | |||
| "modified": "2024-12-02T20:03:14Z", | |||
| "published": "2024-12-02T20:03:03Z", | |||
| "aliases": [], | |||
There was a problem hiding this comment.
The actual improvement suggestion is to remove this advisory altogether -- the web form that generated this pull request does not provide an obvious mechanism to do that.
|
Closing in favor of a manually-created pull request which will actually remove the file. |
Updates
Comments
Original report is flawed, it's a false positive to report the Netty vulnerability against the Lettuce artifact.
This advisory should be removed, it is a false positive report. The advisory asserts that the Lettuce package is vulnerable only because it expresses a dependency on a vulnerable version of Netty -- but Lettuce itself does not have this vulnerability: it does not actually package or shade the vulnerable Netty code. The Netty vulnerability already has its own CVE/advisory. This advisory incorrectly flags the usage of Lettuce even when a consuming project has otherwise overridden or excluded the actually-vulnerable Netty package.