[
https://issues.apache.org/jira/browse/NIFI-12879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824895#comment-17824895
]
ASF subversion and git services commented on NIFI-12879:
--------------------------------------------------------
Commit 63cc0520dca09acee2dc8f1abb1e2c48c8f4e3e4 in nifi's branch
refs/heads/main from dependabot[bot]
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=63cc0520dc ]
NIFI-12879 Upgraded Clojure from 1.11.1 to 1.11.2
This closes #8487
Signed-off-by: David Handermann <[email protected]>
> Upgrade Clojure to 1.11.2
> -------------------------
>
> Key: NIFI-12879
> URL: https://issues.apache.org/jira/browse/NIFI-12879
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Fix For: 2.0.0, 1.26.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The Clojure library for the Scripting extensions bundle should be upgraded to
> [1.11.2|https://clojure.org/releases/downloads#_stable_release_1_11_2_mar_8_2024]
> to mitigate CVE-2024-22871, which relates to using Java Object serialization
> to read crafted inputs.
> Clojure is an optional scripting library and the Scripting extensions do not
> perform Java Object serialization directly. For this reason, deployments of
> NiFi that do not use custom Scripting components based on Clojure are not
> directly exposed to this vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
