You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Arun Kumar Ram (Jira)" <ji...@apache.org> on 2022/01/31 05:15:00 UTC

[jira] [Updated] (OAK-9611) Bump netty dependency from 4.1.66.Final to 4.1.68.Final

     [ https://issues.apache.org/jira/browse/OAK-9611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Arun Kumar Ram updated OAK-9611:
--------------------------------
    Fix Version/s: 1.8.26
                       (was: 1.8.25)

> Bump netty dependency from 4.1.66.Final to 4.1.68.Final
> -------------------------------------------------------
>
>                 Key: OAK-9611
>                 URL: https://issues.apache.org/jira/browse/OAK-9611
>             Project: Jackrabbit Oak
>          Issue Type: Task
>          Components: segment-tar
>            Reporter: Arun Kumar Ram
>            Assignee: Miroslav Smiljanic
>            Priority: Major
>              Labels: vulnerability
>             Fix For: 1.42.0, 1.6.23, 1.22.10, 1.8.26
>
>
> h1. Vulnerability SP10: org.apache.jackrabbit : oak-segment-tar : 1.22.8
> *Vulnerabilities*
> CVE-2021-37136
> The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).
> All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
> https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv



--
This message was sent by Atlassian Jira
(v8.20.1#820001)