[jira] [Commented] (OAK-9611) Bump netty dependency from 4.1.66.Final to 4.1.68.Final

Thu, 25 Nov 2021 04:27:21 -0800 


    [ 
https://issues.apache.org/jira/browse/OAK-9611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17449162#comment-17449162
 ] 

Marcel Reutegger commented on OAK-9611:
---------------------------------------

[~miroslav], OSGiIT in oak-it-osgi 1.8 now fails on my machine with:
{noformat}
ERROR: Bundle org.apache.jackrabbit.oak-segment-tar [39] Error starting 
file:/var/folders/9v/mfxfcr797yl2z8qmbwcfsk7h0000gn/T/1637838051909-0/bundles/org.apache.jackrabbit.oak-segment-tar_1.8.26.SNAPSHOT.jar
 (org.osgi.framework.BundleException: Unable to resolve 
org.apache.jackrabbit.oak-segment-tar [39](R 39.0): missing requirement 
[org.apache.jackrabbit.oak-segment-tar [39](R 39.0)] osgi.wiring.package; 
(osgi.wiring.package=com.oracle.svm.core.annotate) Unresolved requirements: 
[[org.apache.jackrabbit.oak-segment-tar [39](R 39.0)] osgi.wiring.package; 
(osgi.wiring.package=com.oracle.svm.core.annotate)])
org.osgi.framework.BundleException: Unable to resolve 
org.apache.jackrabbit.oak-segment-tar [39](R 39.0): missing requirement 
[org.apache.jackrabbit.oak-segment-tar [39](R 39.0)] osgi.wiring.package; 
(osgi.wiring.package=com.oracle.svm.core.annotate) Unresolved requirements: 
[[org.apache.jackrabbit.oak-segment-tar [39](R 39.0)] osgi.wiring.package; 
(osgi.wiring.package=com.oracle.svm.core.annotate)]
        at 
org.apache.felix.framework.Felix.resolveBundleRevision(Felix.java:4368)
        at org.apache.felix.framework.Felix.startBundle(Felix.java:2281)
        at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539)
        at 
org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
        at java.lang.Thread.run(Thread.java:748)
{noformat}

To me it looks like this 
[commit|https://github.com/apache/jackrabbit-oak/commit/053fdc8a96051e3395b43e1b030fcd30669ac768]
 also needs to be backported.

> Bump netty dependency from 4.1.66.Final to 4.1.68.Final
> -------------------------------------------------------
>
>                 Key: OAK-9611
>                 URL: https://issues.apache.org/jira/browse/OAK-9611
>             Project: Jackrabbit Oak
>          Issue Type: Task
>          Components: segment-tar
>            Reporter: Arun Kumar Ram
>            Assignee: Miroslav Smiljanic
>            Priority: Major
>              Labels: vulnerability
>             Fix For: 1.8.25, 1.42.0, 1.6.23, 1.22.10
>
>
> h1. Vulnerability SP10: org.apache.jackrabbit : oak-segment-tar : 1.22.8
> *Vulnerabilities*
> CVE-2021-37136
> The Bzip2 decompression decoder function doesn't allow setting size 
> restrictions on the decompressed output data (which affects the allocation 
> size used during decompression).
> All users of Bzip2Decoder are affected. The malicious input can trigger an 
> OOME and so a DoS attack
> https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to