You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Guozhang Wang (Jira)" <ji...@apache.org> on 2021/07/29 18:34:00 UTC
[jira] [Resolved] (KAFKA-9858) CVE-2016-3189 Use-after-free
vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to
cause a denial of service (crash) via a crafted bzip2 file, related to
block ends set to before the start of the block.
[ https://issues.apache.org/jira/browse/KAFKA-9858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guozhang Wang resolved KAFKA-9858.
----------------------------------
Fix Version/s: 3.0.0
Resolution: Fixed
> CVE-2016-3189 Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-9858
> URL: https://issues.apache.org/jira/browse/KAFKA-9858
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.2.2, 2.3.1, 2.4.1
> Reporter: sihuanx
> Priority: Major
> Fix For: 3.0.0
>
>
> I'm not sure whether CVE-2016-3189 affects kafka 2.4.1 or not? This vulnerability was related to rocksdbjni-5.18.3.jar which is compiled with *bzip2 .*
> Is there any task or plan to fix it?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)