Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

neo4j-5.26/5.26.0-r0: cve remediation #38323

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 24, 2024

@debasishbsws
Copy link
Member

The CVE is sill there

@debasishbsws
Copy link
Member

  - timestamp: 2024-11-20T13:04:12Z
    type: pending-upstream-fix
    data:
      note: |
        This vulnerability relates to the 'jetty-http' dependency, which is fixed in v12.0.12 and later.
        Unfortunately, we are not able to remediate this CVE, as bumping this dependency version results in build failures.
        Specifically, there are version conflicts between the various jetty dependencies. Attempting to bump the related dependencies to the same version, results in different build issues.
        Another component: 'jetty-servlet', has also been relocated to a new location in maven central: https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-servlet. This requires additional code changes.
        All attempts were made to chain up the required changes, but to no avail. Pending fix from upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant