[
https://issues.apache.org/jira/browse/OAK-10591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrei Dulceanu updated OAK-10591:
----------------------------------
Summary: Bump netty dependency from 4.1.96.Final to 4.1.104.Final (was:
Bump netty dependency from 4.1.96.Final to 4.1.66.Final)
> Bump netty dependency from 4.1.96.Final to 4.1.104.Final
> --------------------------------------------------------
>
> Key: OAK-10591
> URL: https://issues.apache.org/jira/browse/OAK-10591
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: segment-tar
> Reporter: Andrei Dulceanu
> Assignee: Andrei Dulceanu
> Priority: Major
> Labels: vulnerability
> Fix For: 1.62.0
>
>
> io.netty : netty-codec : 4.1.52.Final sonatype-2021-0789
> *Summary*:
> sonatype-2021-0789
> Explanation
> The netty-codec package contains a Buffer Overflow vulnerability. The
> finishEncode function in the Lz4FrameEncoder.class class incorrectly
> estimates the buffer size when writing a footer for the last header. An
> attacker could abuse this behavior by sending a payload to the flawed
> application that will overwrite contiguous memory chunks in the heap,
> resulting in a Denial of Service (DoS) condition or other unintended behavior.
> Detection
> The application is vulnerable by using this component.
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Note: If this component is included as a bundled/transitive dependency of
> another component, there may not be an upgrade path. In this instance, we
> recommend contacting the maintainers who included the vulnerable package.
> Alternatively, we recommend investigating alternative components or a
> potential mitigating control.
> Root Cause
> netty-codec-4.1.52.Final.jar <=
> io/netty/handler/codec/compression/Lz4FrameEncoder.class:[4.1.0.Beta2 ,
> 4.1.66.Final)
> Advisories
> Project:
> [https://github.com/netty/netty/pull/11429]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
