[
https://issues.apache.org/jira/browse/ZOOKEEPER-4758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andor Molnar resolved ZOOKEEPER-4758.
-------------------------------------
Resolution: Fixed
> Upgrade snappy-java to 1.1.10.4 to fix CVE-2023-43642
> -----------------------------------------------------
>
> Key: ZOOKEEPER-4758
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4758
> Project: ZooKeeper
> Issue Type: Bug
> Affects Versions: 3.8.3
> Reporter: Dhoka Pramod
> Priority: Major
> Fix For: 3.8.4
>
>
> The SnappyInputStream was found to be vulnerable to Denial of Service (DoS)
> attacks when decompressing data with a too large chunk size. Due to missing
> upper bound check on chunk length, an unrecoverable fatal error can occur.
> All versions of snappy-java including the latest released version 1.1.10.3
> are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74`
> which will be included in the 1.1.10.4 release. Users are advised to upgrade.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
