You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Guozhang Wang (Jira)" <ji...@apache.org> on 2020/04/14 18:09:00 UTC
[jira] [Commented] (KAFKA-9858) CVE-2016-3189 Use-after-free
vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to
cause a denial of service (crash) via a crafted bzip2 file, related to
block ends set to before the start of the block.
[ https://issues.apache.org/jira/browse/KAFKA-9858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17083482#comment-17083482 ]
Guozhang Wang commented on KAFKA-9858:
--------------------------------------
For rocksdbjni, I saw that at the moment even current master is still using bzip version 1.0.6 so 3189 and 12900 would be existed in newest rocksDB version. I'd suggest you post on rocksdb community and see if their community has a better understanding on how to resolve this?
> CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-9858
> URL: https://issues.apache.org/jira/browse/KAFKA-9858
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.2, 2.3.1, 2.4.1
> Reporter: sihuanx
> Priority: Major
>
> I'm not sure whether CVE-2016-3189 affects kafka 2.4.1 or not? This vulnerability was related to rocksdbjni-5.18.3.jar which is compiled with *bzip2 .*
> Is there any task or plan to fix it?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)