[
https://issues.apache.org/jira/browse/JAMES-3568?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3568.
---------------------------------
Resolution: Duplicate
https://issues.apache.org/jira/browse/JAMES-3567
> James 3.6.0 having critical vulnerability
> -----------------------------------------
>
> Key: JAMES-3568
> URL: https://issues.apache.org/jira/browse/JAMES-3568
> Project: James Server
> Issue Type: Improvement
> Components: James Core
> Affects Versions: 3.6.0
> Reporter: Rikin Patel
> Priority: Major
> Labels: vulnerabilities, vulnerability
>
> -> HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length
> header to be accompanied by a second Content-Length header, or by a
> Transfer-Encoding header.. Impacted Image File(s):
> /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar
> -> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that
> lacks a colon, which might be interpreted as a separate header with an
> incorrect syntax, or might be interpreted as an "invalid fold.". Impacted
> Image File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar
> -> JGroups before 4.0 does not require the proper headers for the ENCRYPT and
> AUTH protocols from nodes joining the cluster, which allows remote attackers
> to bypass security restrictions and send and receive messages within the
> cluster via unspecified vectors.. Impacted Image File(s):
> /root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
