You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Rémi Kowalski (Jira)" <se...@james.apache.org> on 2020/06/16 10:02:00 UTC

[jira] [Created] (JAMES-3223) Bump guava and bean-utils to fix vulnerability

Rémi Kowalski created JAMES-3223:
------------------------------------

             Summary: Bump guava and bean-utils to fix vulnerability
                 Key: JAMES-3223
                 URL: https://issues.apache.org/jira/browse/JAMES-3223
             Project: James Server
          Issue Type: Bug
    Affects Versions: 3.5.0
            Reporter: Rémi Kowalski


h5. [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j]
moderate severity
*Vulnerable versions:* > 11.0, < 24.1.1
*Patched version:* 24.1.1
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.



h5. [CVE-2019-10086|https://github.com/advisories/GHSA-6phf-73q6-gh87]
high severity
*Vulnerable versions:* < 1.9.4
*Patched version:* 1.9.4
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org