You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2020/06/16 10:16:00 UTC
[jira] [Commented] (JAMES-3223) Bump guava and bean-utils to fix
vulnerability
[ https://issues.apache.org/jira/browse/JAMES-3223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17136501#comment-17136501 ]
Benoit Tellier commented on JAMES-3223:
---------------------------------------
https://github.com/linagora/james-project/pull/3445
> Bump guava and bean-utils to fix vulnerability
> ----------------------------------------------
>
> Key: JAMES-3223
> URL: https://issues.apache.org/jira/browse/JAMES-3223
> Project: James Server
> Issue Type: Bug
> Affects Versions: 3.5.0
> Reporter: RĂ©mi Kowalski
> Priority: Major
>
> h5. [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j]
> moderate severity
> *Vulnerable versions:* > 11.0, < 24.1.1
> *Patched version:* 24.1.1
> Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
> h5. [CVE-2019-10086|https://github.com/advisories/GHSA-6phf-73q6-gh87]
> high severity
> *Vulnerable versions:* < 1.9.4
> *Patched version:* 1.9.4
> In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org