[ https://issues.apache.org/jira/browse/JAMES-3223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17140198#comment-17140198 ]
Benoit Tellier commented on JAMES-3223: --------------------------------------- https://github.com/linagora/james-project/pull/3445 on ferme? > Bump guava and bean-utils to fix vulnerability > ---------------------------------------------- > > Key: JAMES-3223 > URL: https://issues.apache.org/jira/browse/JAMES-3223 > Project: James Server > Issue Type: Bug > Affects Versions: 3.5.0 > Reporter: RĂ©mi Kowalski > Priority: Major > > h5. [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j] > moderate severity > *Vulnerable versions:* > 11.0, < 24.1.1 > *Patched version:* 24.1.1 > Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 > allows remote attackers to conduct denial of service attacks against servers > that depend on this library and deserialize attacker-provided data, because > the AtomicDoubleArray class (when serialized with Java serialization) and the > CompoundOrdering class (when serialized with GWT serialization) perform eager > allocation without appropriate checks on what a client has sent and whether > the data size is reasonable. > h5. [CVE-2019-10086|https://github.com/advisories/GHSA-6phf-73q6-gh87] > high severity > *Vulnerable versions:* < 1.9.4 > *Patched version:* 1.9.4 > In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added > which allows suppressing the ability for an attacker to access the > classloader via the class property available on all Java objects. We, however > were not using this by default characteristic of the PropertyUtilsBean. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org