[jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544

Sushanta Sen (Jira) Thu, 02 Sep 2021 06:29:06 -0700


     [ 
https://issues.apache.org/jira/browse/HADOOP-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sushanta Sen updated HADOOP-17860:
----------------------------------
    Description: 
Third party jar protobuf-java-2.5.0.jar reports vulnerabilities # 
CVE-2015-5237, CVE-2019-15544 and need to be upgraded.

CVE-2019-15544：

Vulnerability Description：An issue was discovered in the protobuf crate before 
2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls.

CVE-2015-5237：

Vulnerability Description：protobuf allows remote authenticated attackers to 
cause a heap-based buffer overflow.

 

Please review  and let me know if you have any concerns or would like to add 
more details to upgrade.

  was:
Third party jar protobuf-java-2.5.0.jar reports vulnerabilities # 
CVE-2015-5237, CVE-2019-15544 and need to be upgraded.

Please review  and let me know if you have any concerns or would like to add 
more details to upgrade.


> Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities 
> #CVE-2015-5237, CVE-2019-15544
> -----------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-17860
>                 URL: https://issues.apache.org/jira/browse/HADOOP-17860
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Sushanta Sen
>            Priority: Major
>
> Third party jar protobuf-java-2.5.0.jar reports vulnerabilities # 
> CVE-2015-5237, CVE-2019-15544 and need to be upgraded.
> CVE-2019-15544：
> Vulnerability Description：An issue was discovered in the protobuf crate 
> before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve 
> calls.
> CVE-2015-5237：
> Vulnerability Description：protobuf allows remote authenticated attackers to 
> cause a heap-based buffer overflow.
>  
> Please review  and let me know if you have any concerns or would like to add 
> more details to upgrade.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (HADOOP-17860) Upgrade third party protobuf-java-2.5.0.jar to address vulnerabilities #CVE-2015-5237, CVE-2019-15544

Reply via email to