Force-update netty to patch CVE-2024-47535

As with the msal4j exploit, this is bundled with Minecraft so you will get the vulnerable version anyways until Mojang updates.
Wurst-Imperium · Nov 14, 2024 · 9db84cb · 9db84cb
1 parent 7cfd4d0
commit 9db84cb
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/build.gradle b/build.gradle
@@ -27,11 +27,13 @@ repositories {
 	// for more information about repositories.
 }
 
-// Override vulnerable msal4j dependency until Minecraft updates to a newer version
+// Override vulnerable dependencies until Minecraft updates to newer versions
 configurations.all {
 	resolutionStrategy {
-		// v1.15.0, used by Minecraft 1.21.3, is vulnerable to CVE-2024-35255
-		force 'com.microsoft.azure:msal4j:1.17.2'
+		// v1.15.0, used by Minecraft 1.21.2 and 1.21.3, is vulnerable to CVE-2024-35255
+		force "com.microsoft.azure:msal4j:1.17.2"
+		// v4.1.97.Final, used by Minecraft 1.21 - 1.21.3, is vulnerable to CVE-2024-47535
+		force "io.netty:netty-common:4.1.115.Final"
 	}
 }