You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Julian Reschke (Jira)" <ji...@apache.org> on 2022/01/31 07:03:00 UTC
[jira] [Commented] (OAK-9611) Bump netty dependency from 4.1.66.Final to 4.1.68.Final
[ https://issues.apache.org/jira/browse/OAK-9611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17484539#comment-17484539 ]
Julian Reschke commented on OAK-9611:
-------------------------------------
trunk: [9fa15f660f|https://github.com/apache/jackrabbit-oak/commit/9fa15f660f30d2b7bccb35899ce59faff07fe72b]
1.22: (1.22.10) [8efa91f2ed|https://github.com/apache/jackrabbit-oak/commit/8efa91f2edec1910444c6794a37376104ca657f2]
1.8: [02c0548b57|https://github.com/apache/jackrabbit-oak/commit/02c0548b57ff79da8494bee34e1d3b884ad187f0] [368dc7441c|https://github.com/apache/jackrabbit-oak/commit/368dc7441ccbb
98e2221349d9106a19b51f7cb39]
> Bump netty dependency from 4.1.66.Final to 4.1.68.Final
> -------------------------------------------------------
>
> Key: OAK-9611
> URL: https://issues.apache.org/jira/browse/OAK-9611
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: segment-tar
> Reporter: Arun Kumar Ram
> Assignee: Miroslav Smiljanic
> Priority: Major
> Labels: vulnerability
> Fix For: 1.42.0, 1.6.23, 1.22.10, 1.8.26
>
>
> h1. Vulnerability SP10: org.apache.jackrabbit : oak-segment-tar : 1.22.8
> *Vulnerabilities*
> CVE-2021-37136
> The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).
> All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
> https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
--
This message was sent by Atlassian Jira
(v8.20.1#820001)