From eb5be2e853e682d3c89727d61544abdf3a8da54b Mon Sep 17 00:00:00 2001
From: Sean Walbran <seanwalbran@gmail.com>
Date: Fri, 20 Dec 2024 10:27:37 -0600
Subject: [PATCH] Improve GHSA-q4h9-7rxj-7gx2

---
 .../GHSA-q4h9-7rxj-7gx2/GHSA-q4h9-7rxj-7gx2.json  | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/advisories/github-reviewed/2024/12/GHSA-q4h9-7rxj-7gx2/GHSA-q4h9-7rxj-7gx2.json b/advisories/github-reviewed/2024/12/GHSA-q4h9-7rxj-7gx2/GHSA-q4h9-7rxj-7gx2.json
index efa2fae8f1237..ab871048f468d 100644
--- a/advisories/github-reviewed/2024/12/GHSA-q4h9-7rxj-7gx2/GHSA-q4h9-7rxj-7gx2.json
+++ b/advisories/github-reviewed/2024/12/GHSA-q4h9-7rxj-7gx2/GHSA-q4h9-7rxj-7gx2.json
@@ -3,14 +3,12 @@
   "id": "GHSA-q4h9-7rxj-7gx2",
   "modified": "2024-12-02T20:03:14Z",
   "published": "2024-12-02T20:03:03Z",
-  "aliases": [],
-  "summary": "Netty vulnerability included in redis lettuce",
-  "details": "### Summary\nNote: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities.\n\n> An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.\n\n### Details\nhttps://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently \n```\n<netty.version>4.1.113.Final</netty.version>\n```\nThis version is vulnerable according to Snyk and is affecting one of our products:\n![image](https://github.com/user-attachments/assets/a7c78c24-f1e3-4f29-bc49-b252d330002a)\n\nHere is a [link](https://www.cve.org/CVERecord?id=CVE-2024-47535) to the CVE\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\nNot applicable\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nDenial of Service, affecting Windows users. ",
+  "aliases": [
+
+  ],
+  "summary": "-- none -- this is false positive report",
+  "details": "This advisory should be removed, it is a false positive report.\n\nThe advisory asserts that the Lettuce package is vulnerable only because it expresses a dependency on a vulnerable version of Netty -- but Lettuce itself does not have this vulnerability: it does not actually package or shade the vulnerable Netty code.  The Netty vulnerability already has its own CVE/advisory.  This advisory incorrectly flags the usage of Lettuce even when a consuming project has otherwise overridden or excluded the actually-vulnerable Netty package.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
-    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
@@ -28,9 +26,6 @@
           "events": [
             {
               "introduced": "0"
-            },
-            {
-              "fixed": "6.5.1.RELEASE"
             }
           ]
         }