Fix CVE-2025-24970 (kserve#154) (#80)

pull[bot] · spolti · web-flow · commit 9ba037094d1e · 2025-03-03T02:14:52.000Z
chore: Fix [CVE-2025-24970](GHSA-4g8c-wm8x-jfhw) SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine #### Motivation #### Modifications #### Result Signed-off-by: Spolti <fspolti@redhat.com> Co-authored-by: Filippe Spolti <fspolti@redhat.com>
diff --git a/pom.xml b/pom.xml
@@ -57,8 +57,8 @@
     <!--suppress UnresolvedMavenProperty -->
     <jenkins-build-tag>${env.BUILD_TAG}</jenkins-build-tag>  <!-- set by jenkins -->
 
-    <grpc-version>1.60.2</grpc-version>
-    <netty-version>4.1.108.Final</netty-version>
+    <grpc-version>1.63.2</grpc-version>
+    <netty-version>4.1.118.Final</netty-version>
     <litelinks-version>1.7.2</litelinks-version>
     <kv-utils-version>0.5.1</kv-utils-version>
     <etcd-java-version>0.0.24</etcd-java-version>
@@ -437,6 +437,10 @@
       <groupId>io.grpc</groupId>
       <artifactId>grpc-netty</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-core</artifactId>
+    </dependency>
 
     <!-- This is required for compiling on java11+, to provide
        the @Generated annotation used in the protoc-generated
