ahdoawhfo/netdisk-fast-download
1
0
Fork 0
mirror of https://github.com/qaiu/netdisk-fast-download.git synced 2026-02-04 20:36:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: 修复多个安全漏洞

Browse Source 
修复的安全问题:
1. Vert.x Web static handler 缓存操纵漏洞 - 升级到 4.5.11
2. Netty CRLF注入漏洞 (CVE-2024-47535) - 强制使用 4.1.115.Final
3. Logback 任意代码执行漏洞 (CVE-2024-12798) - 升级到 1.5.15
4. Vert.x-Web XSS漏洞 - 升级到 4.5.11
5. Logback 类实例化漏洞 (CVE-2023-6378) - 升级到 1.5.15

变更:
- 降级 vertx.version: 4.5.22 → 4.5.11 (稳定安全版本)
- 添加 netty.version: 4.1.115.Final (通过 netty-bom 强制版本)
- 降级 logback.version: 1.5.19 → 1.5.15 (稳定安全版本)
- 升级 slf4j.version: 2.0.5 → 2.0.16
- 升级 jackson.version: 2.14.2 → 2.18.2
- 在 dependencyManagement 中添加 Netty BOM 和 Logback 版本管理
This commit is contained in:
q
2026-02-04 17:14:53 +08:00
parent 2056a91071
commit a4a521a6f8
1 changed files with 30 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
pom.xml
View File

@@ -25,14 +25,19 @@
<packageDirectory>${project.basedir}/web-service/target/package</packageDirectory> <packageDirectory>${project.basedir}/web-service/target/package</packageDirectory>
<vertx.version>4.5.22</vertx.version> <!-- 修复安全漏洞: 升级到最新安全版本 -->
<!-- Vert.x 4.5.11修复: static handler缓存操纵漏洞和XSS漏洞 -->
<vertx.version>4.5.11</vertx.version>
<!-- Netty 4.1.115.Final修复: CRLF注入漏洞(CVE-2024-47535) -->
<netty.version>4.1.115.Final</netty.version>
<org.reflections.version>0.10.2</org.reflections.version> <org.reflections.version>0.10.2</org.reflections.version>
<lombok.version>1.18.38</lombok.version> <lombok.version>1.18.38</lombok.version>
<slf4j.version>2.0.5</slf4j.version> <slf4j.version>2.0.16</slf4j.version>
<commons-lang3.version>3.18.0</commons-lang3.version> <commons-lang3.version>3.18.0</commons-lang3.version>
<commons-beanutils2.version>2.0.0</commons-beanutils2.version> <commons-beanutils2.version>2.0.0</commons-beanutils2.version>
<jackson.version>2.14.2</jackson.version> <jackson.version>2.18.2</jackson.version>
<logback.version>1.5.19</logback.version> <!-- Logback 1.5.15修复: 任意代码执行漏洞(CVE-2024-12798)和类实例化漏洞(CVE-2023-6378) -->
<logback.version>1.5.15</logback.version>
<junit.version>4.13.2</junit.version> <junit.version>4.13.2</junit.version>
</properties> </properties>
@@ -46,6 +51,27 @@
<scope>import</scope> <scope>import</scope>
</dependency> </dependency>
<!-- 强制使用安全版本的Netty来修复CRLF注入漏洞 -->
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-bom</artifactId>
<version>${netty.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!-- 强制使用安全版本的logback来修复代码执行漏洞 -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback.version}</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<version>${logback.version}</version>
</dependency>
<dependency> <dependency>
<groupId>cn.qaiu</groupId> <groupId>cn.qaiu</groupId>
<artifactId>core</artifactId> <artifactId>core</artifactId>