Dhoka Pramod created ZOOKEEPER-4758:
---------------------------------------
Summary: Upgrade snappy-java to 1.1.10.4 to fix CVE-2023-43642
Key: ZOOKEEPER-4758
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4758
Project: ZooKeeper
Issue Type: Bug
Affects Versions: 3.8.3
Reporter: Dhoka Pramod
Fix For: 3.8.4
The SnappyInputStream was found to be vulnerable to Denial of Service (DoS)
attacks when decompressing data with a too large chunk size. Due to missing
upper bound check on chunk length, an unrecoverable fatal error can occur. All
versions of snappy-java including the latest released version 1.1.10.3 are
vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which
will be included in the 1.1.10.4 release. Users are advised to upgrade.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
