how to fix CVE-2023-4586

[lizhh123]

There is a new vulnerability CVE-2023-4586 ，it (High) detected in netty-handler，and lettuce-core depend on this package. Please help to find how to upgrade netty-handler version to 5.0.0.Alpha1

[lizhh123]

@mp911de

[mp911de]

Lettuce isn't affected as we're configuring SSL verification ourselves. We are not going to upgrade to Netty 5 anytime soon as Netty 5 isn't GA, in fact, Netty 5 isn't even close to GA.

Related ticket: netty/netty#8537 and #1845.

[mp911de]

Another side node, the CVE targets Infinispan Hotrod, from the CVE description:

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.