[UNDERTOW-2391] CVE-2023-5685 bump xnio to bring in fix for the CVE

[smmathews-brandwatch]

Bumps xnio from 3.8.8.Final to 3.8.14.Final, which is the latest version and the first version to fix CVE-2023-5685

jira ticket is https://issues.redhat.com/browse/UNDERTOW-2391

[romabaz]

@smmathews-cision-us thanks for bringing this into attention.

[fl4via]

Unfortunately tests are failing, I'll need to investigate before merging this one

[romabaz]

Hello, @fl4via, do you think it would be unsafe for undertow consumers to exclude and replace xnio in pom as transitive dependency, e.g.:

<dependency>
      <groupId>io.undertow</groupId>
      <artifactId>undertow-core</artifactId>
      <version>2.3.13.Final</version>
      <exclusions>
          <exclusion>
              <groupId>org.jboss.xnio</groupId>
              <artifactId>xnio-xnio</artifactId>
          </exclusion>
      </exclusions>
</dependency>
<dependency>
        <groupId>org.jboss.xnio</groupId>
        <artifactId>xnio-nio</artifactId>
        <version>3.8.14.Final</version>
</dependency>

I'm asking, because we have a vulnerability report pending on undertow on that and need to deal with it.

[fl4via]

Hi @romabaz ! I spent the past two weeks investigating this regression and testing a fix for XNIO in internal labs to make sure the final solution to this regression would not cause other regressions of any sorts, specially taking into consideration Undertow and its interaction with WildFly/JBoss Remoting corner scenarios. That's why this PR has been "stalled".
Everything is ready now for release. XNIO 3.8.16.Final has just been tagged with the tested fix. I advise you to wait for the release, since it will be done within the next hours. I appreciate your patience and I apologize for the delay.

[romabaz]

@fl4via , thank you for your prompt response!