You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2023/02/24 03:15:37 UTC

[james-project] branch 3.7.x updated: JAMES-3881 Prevent CommonsBeanutils1 deserialization exploit [BACKPORT] (#1455)

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch 3.7.x
in repository https://gitbox.apache.org/repos/asf/james-project.git


The following commit(s) were added to refs/heads/3.7.x by this push:
     new b2b8543c60 JAMES-3881 Prevent CommonsBeanutils1 deserialization exploit [BACKPORT] (#1455)
b2b8543c60 is described below

commit b2b8543c601ecf2435b458d757a4b2b19fb49289
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Fri Feb 24 10:15:32 2023 +0700

    JAMES-3881 Prevent CommonsBeanutils1 deserialization exploit [BACKPORT] (#1455)
---
 pom.xml                                                  | 12 ++++++++++++
 server/blob/blob-export-file/pom.xml                     |  4 ++++
 server/container/guice/configuration/pom.xml             |  4 ++++
 server/protocols/webadmin/webadmin-mail-over-web/pom.xml | 11 +++++++----
 server/protocols/webadmin/webadmin-mailqueue/pom.xml     |  4 ++++
 5 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index 9e5b76a544..d7f02227e5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2230,6 +2230,12 @@
                 <groupId>commons-beanutils</groupId>
                 <artifactId>commons-beanutils</artifactId>
                 <version>1.9.4</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>commons-logging</groupId>
+                        <artifactId>commons-logging</artifactId>
+                    </exclusion>
+                </exclusions>
             </dependency>
             <dependency>
                 <groupId>commons-cli</groupId>
@@ -2514,6 +2520,12 @@
                 <groupId>org.apache.httpcomponents</groupId>
                 <artifactId>httpclient</artifactId>
                 <version>4.5.13</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>commons-logging</groupId>
+                        <artifactId>commons-logging</artifactId>
+                    </exclusion>
+                </exclusions>
             </dependency>
             <dependency>
                 <groupId>org.apache.httpcomponents</groupId>
diff --git a/server/blob/blob-export-file/pom.xml b/server/blob/blob-export-file/pom.xml
index 2e9880f76d..02b994f55b 100644
--- a/server/blob/blob-export-file/pom.xml
+++ b/server/blob/blob-export-file/pom.xml
@@ -70,5 +70,9 @@
             <artifactId>mockito-core</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>jcl-over-slf4j</artifactId>
+        </dependency>
     </dependencies>
 </project>
diff --git a/server/container/guice/configuration/pom.xml b/server/container/guice/configuration/pom.xml
index ae735b41e0..7d566b4804 100644
--- a/server/container/guice/configuration/pom.xml
+++ b/server/container/guice/configuration/pom.xml
@@ -58,5 +58,9 @@
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>jcl-over-slf4j</artifactId>
+        </dependency>
     </dependencies>
 </project>
diff --git a/server/protocols/webadmin/webadmin-mail-over-web/pom.xml b/server/protocols/webadmin/webadmin-mail-over-web/pom.xml
index 95074c73bc..97b629d5ff 100644
--- a/server/protocols/webadmin/webadmin-mail-over-web/pom.xml
+++ b/server/protocols/webadmin/webadmin-mail-over-web/pom.xml
@@ -36,6 +36,11 @@
             <groupId>${james.groupId}</groupId>
             <artifactId>james-server-queue-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>${james.groupId}</groupId>
+            <artifactId>james-server-queue-memory</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>${james.groupId}</groupId>
             <artifactId>james-server-webadmin-core</artifactId>
@@ -67,11 +72,9 @@
             <artifactId>james-server-core</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.apache.james</groupId>
-            <artifactId>james-server-queue-memory</artifactId>
-            <scope>test</scope>
+            <groupId>org.slf4j</groupId>
+            <artifactId>jcl-over-slf4j</artifactId>
         </dependency>
-
     </dependencies>
 
 </project>
diff --git a/server/protocols/webadmin/webadmin-mailqueue/pom.xml b/server/protocols/webadmin/webadmin-mailqueue/pom.xml
index e37fa28977..156f4be7d2 100644
--- a/server/protocols/webadmin/webadmin-mailqueue/pom.xml
+++ b/server/protocols/webadmin/webadmin-mailqueue/pom.xml
@@ -112,5 +112,9 @@
             <artifactId>mockito-core</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>jcl-over-slf4j</artifactId>
+        </dependency>
     </dependencies>
 </project>


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org