[PR] Bump github/codeql-action from 3.25.6 to 3.25.7 [directory-ldap-api]
dependabot[bot] opened a new pull request, #98: URL: https://github.com/apache/directory-ldap-api/pull/98 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.6 to 3.25.7. Changelog Sourced from https://github.com/github/codeql-action/blob/main/CHANGELOG.md;>github/codeql-action's changelog. CodeQL Action Changelog See the https://github.com/github/codeql-action/releases;>releases page for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. [UNRELEASED] No user facing changes. 3.25.7 - 31 May 2024 We are rolling out a feature in May/June 2024 that will reduce the Actions cache usage of the Action by keeping only the newest TRAP cache for each language. https://redirect.github.com/github/codeql-action/pull/2306;>#2306 3.25.6 - 20 May 2024 Update default CodeQL bundle version to 2.17.3. https://redirect.github.com/github/codeql-action/pull/2295;>#2295 3.25.5 - 13 May 2024 Add a compatibility matrix of supported CodeQL Action, CodeQL CLI, and GitHub Enterprise Server versions to the https://github.com/github/codeql-action/blob/main/README.md;>https://github.com/github/codeql-action/blob/main/README.md. https://redirect.github.com/github/codeql-action/pull/2273;>#2273 Avoid printing out a warning for a missing on.push trigger when the CodeQL Action is triggered via a workflow_call event. https://redirect.github.com/github/codeql-action/pull/2274;>#2274 The tools: latest input to the init Action has been renamed to tools: linked. This option specifies that the Action should use the tools shipped at the same time as the Action. The old name will continue to work for backwards compatibility, but we recommend that new workflows use the new name. https://redirect.github.com/github/codeql-action/pull/2281;>#2281 3.25.4 - 08 May 2024 Update default CodeQL bundle version to 2.17.2. https://redirect.github.com/github/codeql-action/pull/2270;>#2270 3.25.3 - 25 Apr 2024 Update default CodeQL bundle version to 2.17.1. https://redirect.github.com/github/codeql-action/pull/2247;>#2247 Workflows running on macos-latest using CodeQL CLI versions before v2.15.1 will need to either upgrade their CLI version to v2.15.1 or newer, or change the platform to an Intel MacOS runner, such as macos-12. ARM machines with SIP disabled, including the newest macos-latest image, are unsupported for CLI versions before 2.15.1. https://redirect.github.com/github/codeql-action/pull/2261;>#2261 3.25.2 - 22 Apr 2024 No user facing changes. 3.25.1 - 17 Apr 2024 We are rolling out a feature in April/May 2024 that improves the reliability and performance of analyzing code when analyzing a compiled language with the autobuild https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes;>build mode. https://redirect.github.com/github/codeql-action/pull/2235;>#2235 Fix a bug where the init Action would fail if --overwrite was specified in CODEQL_ACTION_EXTRA_OPTIONS. https://redirect.github.com/github/codeql-action/pull/2245;>#2245 3.25.0 - 15 Apr 2024 The deprecated feature for extracting dependencies for a Python analysis has been removed. https://redirect.github.com/github/codeql-action/pull/2224;>#2224 As a result, the following inputs and environment variables are now ignored: The setup-python-dependencies input to the init Action The CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION environment variable ... (truncated) Commits https://github.com/github/codeql-action/commit/f079b849aace61c81488f8bd40919487bd9f;>f079b84 Merge pull request https://redirect.github.com/github/codeql-action/issues/2317;>#2317 from github/update-v3.25.7-a095bf2a1 https://github.com/github/codeql-action/commit/e1a42688dbe6ce54cc33e2b6b65fc02abdb09762;>e1a4268 Update changelog for v3.25.7 https://github.com/github/codeql-action/commit/a095bf2a16b83cb3b52e6adba696c70f41e82864;>a095bf2 Merge pull request https://redirect.github.com/github/codeql-action/issues/2313;>#2313 from github/revert-2312-update-bundle/codeql-bundle-... https://github.com/github/codeql-action/commit/bbd4e19f51d83bb98b025b83b255e44eaa1a1e7f;>bbd4e19 Revert Update default bundle to 2.17.4 https://github.com/github/codeql-action/commit/9ab5d16a3df4885b74bb18ab349bcc6c253ee3e0;>9ab5d16
[jira] [Resolved] (DIRAPI-403) OutOfMemory error in Asn1Decoder for LDAP messages
[
https://issues.apache.org/jira/browse/DIRAPI-403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emmanuel Lécharny resolved DIRAPI-403.
--
Fix Version/s: 2.1.7
Resolution: Fixed
Fixed
> OutOfMemory error in Asn1Decoder for LDAP messages
> --
>
> Key: DIRAPI-403
> URL: https://issues.apache.org/jira/browse/DIRAPI-403
> Project: Directory Client API
> Issue Type: Bug
>Affects Versions: 2.1.6
>Reporter: Andrey Slepykh
>Priority: Major
> Fix For: 2.1.7
>
> Attachments: OutOfMemoryReproducer.java
>
>
> Hi, we have found Out Of Memory error while fuzzing Asn1Decoder for LDAP
> messages.
> Steps to reproduce:
> 1. Download Apache Directory LDAP API v2.1.6:
> {code:java}
> wget wget
> https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.6.tar.gz
> tar xf 2.1.6.tar.gz && rm 2.1.6.tar.gz{code}
> 2. Compile the project (we used jdk-11 and mvn-3.9.6):
> {code:java}
> cd directory-ldap-api-2.1.6
> mvn clean package{code}
> 3. Get the reproducer:
> {code:java}
> mkdir fuzz && cd fuzz
> mv /OutOfMemoryReproducer.java .{code}
> 4. Compile the reproducer
> {code:java}
> javac -cp
> ../asn1/ber/target/classes/:../asn1/api/target/classes/:../ldap/codec/core/target/classes/:../ldap/model/target/classes/:../ldap/codec/core/target/classes/
> ./OutOfMemoryReproducer.java{code}
> 5. Reproduce the error:
> {code:java}
> java -Xmx2000m -cp
> .:../asn1/ber/target/classes/:../asn1/api/target/classes/:../ldap/codec/core/target/classes/:../ldap/model/target/classes/:../ldap/codec/core/target/classes/:../util/target/classes/:../util/target/classes/:../integ-osgi/target/dependency/slf4j-api-1.7.36.jar:../i18n/target/classes/:../integ-osgi/target/dependency/mina-core-2.2.3.jar
> OutOfMemoryReproducer{code}
> We think that 2000 MB is a reasonable limit and the program should not take
> more.
> Found by Linux Verification Center (portal.linuxtesting.ru) with Jazzer.
> Author L.Reviakin (l.revia...@fobos-nt.ru)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Commented] (DIRAPI-403) OutOfMemory error in Asn1Decoder for LDAP messages
[
https://issues.apache.org/jira/browse/DIRAPI-403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17851487#comment-17851487
]
Emmanuel Lécharny commented on DIRAPI-403:
--
The maxPDUsize parameter was not used to check if the value size is to be
greater that the configured value, leading ot huge byte[] to be allocated.
The fix now checks this limit and throw an exception if exceeded.
A test was added with a maxPDUSize set to 1024 bytes.
> OutOfMemory error in Asn1Decoder for LDAP messages
> --
>
> Key: DIRAPI-403
> URL: https://issues.apache.org/jira/browse/DIRAPI-403
> Project: Directory Client API
> Issue Type: Bug
>Affects Versions: 2.1.6
>Reporter: Andrey Slepykh
>Priority: Major
> Attachments: OutOfMemoryReproducer.java
>
>
> Hi, we have found Out Of Memory error while fuzzing Asn1Decoder for LDAP
> messages.
> Steps to reproduce:
> 1. Download Apache Directory LDAP API v2.1.6:
> {code:java}
> wget wget
> https://github.com/apache/directory-ldap-api/archive/refs/tags/2.1.6.tar.gz
> tar xf 2.1.6.tar.gz && rm 2.1.6.tar.gz{code}
> 2. Compile the project (we used jdk-11 and mvn-3.9.6):
> {code:java}
> cd directory-ldap-api-2.1.6
> mvn clean package{code}
> 3. Get the reproducer:
> {code:java}
> mkdir fuzz && cd fuzz
> mv /OutOfMemoryReproducer.java .{code}
> 4. Compile the reproducer
> {code:java}
> javac -cp
> ../asn1/ber/target/classes/:../asn1/api/target/classes/:../ldap/codec/core/target/classes/:../ldap/model/target/classes/:../ldap/codec/core/target/classes/
> ./OutOfMemoryReproducer.java{code}
> 5. Reproduce the error:
> {code:java}
> java -Xmx2000m -cp
> .:../asn1/ber/target/classes/:../asn1/api/target/classes/:../ldap/codec/core/target/classes/:../ldap/model/target/classes/:../ldap/codec/core/target/classes/:../util/target/classes/:../util/target/classes/:../integ-osgi/target/dependency/slf4j-api-1.7.36.jar:../i18n/target/classes/:../integ-osgi/target/dependency/mina-core-2.2.3.jar
> OutOfMemoryReproducer{code}
> We think that 2000 MB is a reasonable limit and the program should not take
> more.
> Found by Linux Verification Center (portal.linuxtesting.ru) with Jazzer.
> Author L.Reviakin (l.revia...@fobos-nt.ru)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
Re: [PR] Bump github/codeql-action from 2.13.4 to 3.25.6 [directory-studio]
dependabot[bot] closed pull request #91: Bump github/codeql-action from 2.13.4 to 3.25.6 URL: https://github.com/apache/directory-studio/pull/91 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
Re: [PR] Bump github/codeql-action from 2.13.4 to 3.25.6 [directory-studio]
dependabot[bot] commented on PR #91: URL: https://github.com/apache/directory-studio/pull/91#issuecomment-2144098288 Superseded by #92. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[PR] Bump github/codeql-action from 2.13.4 to 3.25.7 [directory-studio]
dependabot[bot] opened a new pull request, #92: URL: https://github.com/apache/directory-studio/pull/92 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.13.4 to 3.25.7. Release notes Sourced from https://github.com/github/codeql-action/releases;>github/codeql-action's releases. CodeQL Bundle v2.17.4 Bundles CodeQL CLI v2.17.4 (https://github.com/github/codeql-cli-binaries/blob/HEAD/CHANGELOG.md;>changelog, https://github.com/github/codeql-cli-binaries/releases/tag/v2.17.4;>release) Includes the following CodeQL language packs from https://github.com/github/codeql/tree/codeql-cli/v2.17.4;>github/codeql@codeql-cli/v2.17.4: codeql/cpp-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/cpp/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/cpp/ql/src;>source) codeql/cpp-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/cpp/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/cpp/ql/lib;>source) codeql/csharp-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/csharp/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/csharp/ql/src;>source) codeql/csharp-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/csharp/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/csharp/ql/lib;>source) codeql/go-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/go/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/go/ql/src;>source) codeql/go-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/go/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/go/ql/lib;>source) codeql/java-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/java/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/java/ql/src;>source) codeql/java-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/java/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/java/ql/lib;>source) codeql/javascript-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/javascript/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/javascript/ql/src;>source) codeql/javascript-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/javascript/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/javascript/ql/lib;>source) codeql/python-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/python/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/python/ql/src;>source) codeql/python-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/python/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/python/ql/lib;>source) codeql/ruby-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/ruby/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/ruby/ql/src;>source) codeql/ruby-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/ruby/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/ruby/ql/lib;>source) codeql/swift-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/swift/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/swift/ql/src;>source) codeql/swift-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.4/swift/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.4/swift/ql/lib;>source) CodeQL Bundle v2.17.3 Bundles CodeQL CLI v2.17.3 (https://github.com/github/codeql-cli-binaries/blob/HEAD/CHANGELOG.md;>changelog, https://github.com/github/codeql-cli-binaries/releases/tag/v2.17.3;>release) Includes the following CodeQL language packs from https://github.com/github/codeql/tree/codeql-cli/v2.17.3;>github/codeql@codeql-cli/v2.17.3: codeql/cpp-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/cpp/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/cpp/ql/src;>source) codeql/cpp-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/cpp/ql/lib/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/cpp/ql/lib;>source) codeql/csharp-queries (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/csharp/ql/src/CHANGELOG.md;>changelog, https://github.com/github/codeql/tree/codeql-cli/v2.17.3/csharp/ql/src;>source) codeql/csharp-all (https://github.com/github/codeql/tree/codeql-cli/v2.17.3/csharp/ql/lib/CHANGELOG.md;>changelog,
