[jira] [Commented] (OAK-9539) Bump netty dependency from 4.1.52.Final to 4.1.66.Final

Wed, 01 Sep 2021 02:39:52 -0700 


    [ 
https://issues.apache.org/jira/browse/OAK-9539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17408047#comment-17408047
 ] 

Andrei Dulceanu commented on OAK-9539:
--------------------------------------

Backported to 1.22 branch with 
[ca03808|https://github.com/apache/jackrabbit-oak/commit/ca03808494e9617e39a602390ebb8027c542f07d].

> Bump netty dependency from 4.1.52.Final to 4.1.66.Final
> -------------------------------------------------------
>
>                 Key: OAK-9539
>                 URL: https://issues.apache.org/jira/browse/OAK-9539
>             Project: Jackrabbit Oak
>          Issue Type: Task
>          Components: segment-tar
>            Reporter: Arun Kumar Ram
>            Assignee: Andrei Dulceanu
>            Priority: Major
>              Labels: vulnerability
>             Fix For: 1.42.0
>
>
> io.netty : netty-codec : 4.1.52.Final sonatype-2021-0789
> *Summary*:
>  sonatype-2021-0789
>  Explanation
>  The netty-codec package contains a Buffer Overflow vulnerability. The 
> finishEncode function in the Lz4FrameEncoder.class class incorrectly 
> estimates the buffer size when writing a footer for the last header. An 
> attacker could abuse this behavior by sending a payload to the flawed 
> application that will overwrite contiguous memory chunks in the heap, 
> resulting in a Denial of Service (DoS) condition or other unintended behavior.
>  Detection
>  The application is vulnerable by using this component.
>  Recommendation
>  We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
>  Note: If this component is included as a bundled/transitive dependency of 
> another component, there may not be an upgrade path. In this instance, we 
> recommend contacting the maintainers who included the vulnerable package. 
> Alternatively, we recommend investigating alternative components or a 
> potential mitigating control.
>  Root Cause
>  netty-codec-4.1.52.Final.jar <= 
> io/netty/handler/codec/compression/Lz4FrameEncoder.class:[4.1.0.Beta2 , 
> 4.1.66.Final)
>  Advisories
>  Project:
>  [https://github.com/netty/netty/pull/11429]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to