[
https://issues.apache.org/jira/browse/ATLAS-4853?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904325#comment-17904325
]
ASF subversion and git services commented on ATLAS-4853:
--------------------------------------------------------
Commit 7fd86e36595cd08196d5aa6163c996f1c08b6eba in atlas's branch
refs/heads/branch-2.0 from dishatalreja
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=7fd86e365 ]
ATLAS-4853: Upgrade Netty to 4.1.108.Final
Signed-off-by: Radhika Kundam <[email protected]>
(cherry picked from commit 1d353ae23f3744190fa95602ea942c92c4332e81)
> Upgrade Netty to 4.1.108.Final
> ------------------------------
>
> Key: ATLAS-4853
> URL: https://issues.apache.org/jira/browse/ATLAS-4853
> Project: Atlas
> Issue Type: Task
> Components: atlas-core
> Reporter: Disha Talreja
> Assignee: Disha Talreja
> Priority: Major
> Fix For: 2.4.0
>
> Attachments: ATLAS-4853.patch
>
>
> Upgrade Netty to 4.1.108.Final
> Netty is an asynchronous event-driven network application framework for rapid
> development of maintainable high performance protocol servers & clients. The
> `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder
> can store items on the disk if configured so, there are no limits to the
> number of fields the form can have, an attacher can send a chunked post
> consisting of many small fields that will be accumulated in the
> `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk`
> buffer until it can decode a field, this field can cumulate data without
> limits. This vulnerability is fixed in 4.1.108.Final.
> [https://nvd.nist.gov/vuln/detail/CVE-2024-29025]
> [https://github.com/advisories/GHSA-5jpm-x58v-624v]
> [https://ossindex.sonatype.org/vulnerability/CVE-2024-29025]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
