You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2023/02/24 03:15:37 UTC
[james-project] branch 3.7.x updated: JAMES-3881 Prevent CommonsBeanutils1 deserialization exploit [BACKPORT] (#1455)
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch 3.7.x
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/3.7.x by this push:
new b2b8543c60 JAMES-3881 Prevent CommonsBeanutils1 deserialization exploit [BACKPORT] (#1455)
b2b8543c60 is described below
commit b2b8543c601ecf2435b458d757a4b2b19fb49289
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Fri Feb 24 10:15:32 2023 +0700
JAMES-3881 Prevent CommonsBeanutils1 deserialization exploit [BACKPORT] (#1455)
---
pom.xml | 12 ++++++++++++
server/blob/blob-export-file/pom.xml | 4 ++++
server/container/guice/configuration/pom.xml | 4 ++++
server/protocols/webadmin/webadmin-mail-over-web/pom.xml | 11 +++++++----
server/protocols/webadmin/webadmin-mailqueue/pom.xml | 4 ++++
5 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 9e5b76a544..d7f02227e5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2230,6 +2230,12 @@
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.4</version>
+ <exclusions>
+ <exclusion>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>commons-cli</groupId>
@@ -2514,6 +2520,12 @@
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.13</version>
+ <exclusions>
+ <exclusion>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
diff --git a/server/blob/blob-export-file/pom.xml b/server/blob/blob-export-file/pom.xml
index 2e9880f76d..02b994f55b 100644
--- a/server/blob/blob-export-file/pom.xml
+++ b/server/blob/blob-export-file/pom.xml
@@ -70,5 +70,9 @@
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>jcl-over-slf4j</artifactId>
+ </dependency>
</dependencies>
</project>
diff --git a/server/container/guice/configuration/pom.xml b/server/container/guice/configuration/pom.xml
index ae735b41e0..7d566b4804 100644
--- a/server/container/guice/configuration/pom.xml
+++ b/server/container/guice/configuration/pom.xml
@@ -58,5 +58,9 @@
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>jcl-over-slf4j</artifactId>
+ </dependency>
</dependencies>
</project>
diff --git a/server/protocols/webadmin/webadmin-mail-over-web/pom.xml b/server/protocols/webadmin/webadmin-mail-over-web/pom.xml
index 95074c73bc..97b629d5ff 100644
--- a/server/protocols/webadmin/webadmin-mail-over-web/pom.xml
+++ b/server/protocols/webadmin/webadmin-mail-over-web/pom.xml
@@ -36,6 +36,11 @@
<groupId>${james.groupId}</groupId>
<artifactId>james-server-queue-api</artifactId>
</dependency>
+ <dependency>
+ <groupId>${james.groupId}</groupId>
+ <artifactId>james-server-queue-memory</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>${james.groupId}</groupId>
<artifactId>james-server-webadmin-core</artifactId>
@@ -67,11 +72,9 @@
<artifactId>james-server-core</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.james</groupId>
- <artifactId>james-server-queue-memory</artifactId>
- <scope>test</scope>
+ <groupId>org.slf4j</groupId>
+ <artifactId>jcl-over-slf4j</artifactId>
</dependency>
-
</dependencies>
</project>
diff --git a/server/protocols/webadmin/webadmin-mailqueue/pom.xml b/server/protocols/webadmin/webadmin-mailqueue/pom.xml
index e37fa28977..156f4be7d2 100644
--- a/server/protocols/webadmin/webadmin-mailqueue/pom.xml
+++ b/server/protocols/webadmin/webadmin-mailqueue/pom.xml
@@ -112,5 +112,9 @@
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>jcl-over-slf4j</artifactId>
+ </dependency>
</dependencies>
</project>
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org