[jira] [Created] (OAK-9611) Bump netty dependency from 4.1.66.Final to 4.1.68.Final

Arun Kumar Ram (Jira) Wed, 03 Nov 2021 01:00:21 -0700

Arun Kumar Ram created OAK-9611:
-----------------------------------

             Summary: Bump netty dependency from 4.1.66.Final to 4.1.68.Final
                 Key: OAK-9611
                 URL: https://issues.apache.org/jira/browse/OAK-9611
             Project: Jackrabbit Oak
          Issue Type: Task
          Components: segment-tar
            Reporter: Arun Kumar Ram



h1. Vulnerability SP10: org.apache.jackrabbit : oak-segment-tar : 1.22.8

*Vulnerabilities*

CVE-2021-37136

The Bzip2 decompression decoder function doesn't allow setting size 
restrictions on the decompressed output data (which affects the allocation size 
used during decompression).

All users of Bzip2Decoder are affected. The malicious input can trigger an OOME 
and so a DoS attack

https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (OAK-9611) Bump netty dependency from 4.1.66.Final to 4.1.68.Final

Reply via email to