You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Rikin Patel (Jira)" <se...@james.apache.org> on 2021/04/22 10:42:00 UTC
[jira] [Created] (JAMES-3567) Apache James 3.6 has Critical
Vulnerability in dependent libs
Rikin Patel created JAMES-3567:
----------------------------------
Summary: Apache James 3.6 has Critical Vulnerability in dependent libs
Key: JAMES-3567
URL: https://issues.apache.org/jira/browse/JAMES-3567
Project: James Server
Issue Type: Improvement
Components: James Core
Affects Versions: 3.6.0
Environment: Docker Image: - apache/james:distributed-3.6.0
Reporter: Rikin Patel
/root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar: -
-> HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header
-> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold.". Impacted Image File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar
/root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar
-> JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors..
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org