[
https://issues.apache.org/jira/browse/JAMES-3192?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3192.
---------------------------------
Fix Version/s: 3.6.0
3.5.0
Resolution: Fixed
This fix will be backported to upcoming 3.5.0.
> Upgrade Apache configuration to 2.7
> -----------------------------------
>
> Key: JAMES-3192
> URL: https://issues.apache.org/jira/browse/JAMES-3192
> Project: James Server
> Issue Type: Improvement
> Components: configuration
> Affects Versions: master
> Reporter: Benoit Tellier
> Priority: Major
> Labels: security
> Fix For: master, 3.5.0, 3.6.0
>
>
> CVE-2020-1953 enables Remote code execution in Apache Commons Configuration
> Apache Commons Configuration uses a third-party library to parse YAML files
> which by default allows the instantiation of classes if the YAML includes
> special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5,
> 2.6 did not change the default settings of this library. So if a YAML file
> was loaded from an untrusted source, it could therefore load and execute code
> out of the control of the host application.
> James server don't rely on YAML files for its configuration (only on XML and
> properties) thus we are likely unaffected by the aforementioned CVE but
> upgrading would be wise.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
