[
https://issues.apache.org/jira/browse/JAMES-3192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17117241#comment-17117241
]
Benoit Tellier commented on JAMES-3192:
---------------------------------------
https://github.com/linagora/james-project/pull/3397 solved this.
> Upgrade Apache configuration to 2.7
> -----------------------------------
>
> Key: JAMES-3192
> URL: https://issues.apache.org/jira/browse/JAMES-3192
> Project: James Server
> Issue Type: Improvement
> Components: configuration
> Affects Versions: master
> Reporter: Benoit Tellier
> Priority: Major
> Labels: security
> Fix For: master
>
>
> CVE-2020-1953 enables Remote code execution in Apache Commons Configuration
> Apache Commons Configuration uses a third-party library to parse YAML files
> which by default allows the instantiation of classes if the YAML includes
> special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5,
> 2.6 did not change the default settings of this library. So if a YAML file
> was loaded from an untrusted source, it could therefore load and execute code
> out of the control of the host application.
> James server don't rely on YAML files for its configuration (only on XML and
> properties) thus we are likely unaffected by the aforementioned CVE but
> upgrading would be wise.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
