[
https://issues.apache.org/jira/browse/JAMES-3223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17140198#comment-17140198
]
Benoit Tellier commented on JAMES-3223:
---------------------------------------
https://github.com/linagora/james-project/pull/3445 on ferme?
> Bump guava and bean-utils to fix vulnerability
> ----------------------------------------------
>
> Key: JAMES-3223
> URL: https://issues.apache.org/jira/browse/JAMES-3223
> Project: James Server
> Issue Type: Bug
> Affects Versions: 3.5.0
> Reporter: RĂ©mi Kowalski
> Priority: Major
>
> h5. [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j]
> moderate severity
> *Vulnerable versions:* > 11.0, < 24.1.1
> *Patched version:* 24.1.1
> Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1
> allows remote attackers to conduct denial of service attacks against servers
> that depend on this library and deserialize attacker-provided data, because
> the AtomicDoubleArray class (when serialized with Java serialization) and the
> CompoundOrdering class (when serialized with GWT serialization) perform eager
> allocation without appropriate checks on what a client has sent and whether
> the data size is reasonable.
> h5. [CVE-2019-10086|https://github.com/advisories/GHSA-6phf-73q6-gh87]
> high severity
> *Vulnerable versions:* < 1.9.4
> *Patched version:* 1.9.4
> In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added
> which allows suppressing the ability for an attacker to access the
> classloader via the class property available on all Java objects. We, however
> were not using this by default characteristic of the PropertyUtilsBean.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
