[
https://issues.apache.org/jira/browse/ATLAS-4925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17900774#comment-17900774
]
ASF subversion and git services commented on ATLAS-4925:
--------------------------------------------------------
Commit dc3fce9c28e7d1851342e706a1326242006c38b5 in atlas's branch
refs/heads/branch-2.0 from dishatalreja
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=dc3fce9c2 ]
ATLAS-4925: Upgrade protobuf-java to 3.25.5/4.27.5/4.28.2
Signed-off-by: Pinal Shah <[email protected]>
> Upgrade protobuf-java to 3.25.5/4.27.5/4.28.2
> ---------------------------------------------
>
> Key: ATLAS-4925
> URL: https://issues.apache.org/jira/browse/ATLAS-4925
> Project: Atlas
> Issue Type: Task
> Components: atlas-core
> Reporter: Disha Talreja
> Assignee: Disha Talreja
> Priority: Major
> Attachments: ATLAS-4925.patch
>
>
> Upgrade protobuf-java to 3.25.5/4.27.5/4.28.2
> Any project that parses untrusted Protocol Buffers data containing an
> arbitrary number of nested groups / series of SGROUP tags can corrupted by
> exceeding the stack limit i.e. StackOverflow. Parsing nested groups as
> unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser,
> or against Protobuf map fields, creates unbounded recursions that can be
> abused by an attacker.
> [https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-8055227]
> [https://nvd.nist.gov/vuln/detail/CVE-2024-7254]
> [https://github.com/advisories/GHSA-735f-pc8j-v9w8]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
