[
https://issues.apache.org/jira/browse/JAMES-3567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3567.
---------------------------------
Resolution: Fixed
Mentioned dependencies are either updated or removed.
Closing.
> Apache James 3.6 has Critical Vulnerability in dependent libs
> -------------------------------------------------------------
>
> Key: JAMES-3567
> URL: https://issues.apache.org/jira/browse/JAMES-3567
> Project: James Server
> Issue Type: Improvement
> Components: James Core
> Affects Versions: 3.6.0
> Environment: Docker Image: - apache/james:distributed-3.6.0
> Reporter: Rikin Patel
> Priority: Major
> Labels: vulnerability
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar: -
> -> HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length
> header to be accompanied by a second Content-Length header, or by a
> Transfer-Encoding header
> -> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header
> that lacks a colon, which might be interpreted as a separate header with an
> incorrect syntax, or might be interpreted as an "invalid fold.". Impacted
> Image File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar
> /root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar
> -> JGroups before 4.0 does not require the proper headers for the
> ENCRYPT and AUTH protocols from nodes joining the cluster, which allows
> remote attackers to bypass security restrictions and send and receive
> messages within the cluster via unspecified vectors..
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
