Re: Review Request 74676: ATLAS-4801: Atlas - Upgrade Okio to 3.4.0 due to CVE-2023-3635

Disha Talreja via Review Board Fri, 27 Oct 2023 10:50:28 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74676/
-----------------------------------------------------------


(Updated Oct. 27, 2023, 5:50 p.m.)


Review request for atlas, Jayendra Parab, Radhika Kundam, and Sidharth Mishra.


Bugs: ATLAS-4801
    https://issues.apache.org/jira/browse/ATLAS-4801


Repository: atlas


Description
-------

GzipSource does not handle an exception that might be raised when parsing a 
malformed gzip buffer. This may lead to denial of service of the Okio client 
when handling a crafted GZIP archive, by using the GzipSource class.

CVSSv3 Score:- 7.5(High)

https://nvd.nist.gov/vuln/detail/CVE-2023-3635


Diffs
-----

  pom.xml f76d0ea04 


Diff: https://reviews.apache.org/r/74676/diff/1/


Testing (updated)
-------

Verified Manually
PC Build: 
https://ci-builds.apache.org/job/Atlas/job/PreCommit-ATLAS-Build-Test/1485/ 
[One test failed which is not related to this change - 
(EntityV2JerseyResourceIT.testSetLabelsByTypeName:986)]


Thanks,

Disha Talreja

Re: Review Request 74676: ATLAS-4801: Atlas - Upgrade Okio to 3.4.0 due to CVE-2023-3635

Reply via email to