Security17 guava update #7218
Closed
Security17 guava update #7218
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…s reported to allow an attacker to escalate permissions and access private values and create invalid instances - see CVE-2017-7536. It is reported to be fixed in versions 5.2.5.Final and greater. The upgraded library had changes to the api for constructing ConstaintValidatorContextImpl, used in URLValidatorTest.java. In investigating the changes, it was found that there were further changes to the api in recent versions and it was decided to adapt the code to the latest changes and use the latest available stable hibernate-validator library - 6.1.5.Final. It was also necessary to add a dependency to javax.el due to changes in the library starting with version 5.3.1.Final and later.
…ecifically at this point)
…ial of service attack due to unbounded mmemory allocation. see CVE-2018-10237 dataverse-security#17
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it: There is a potential denial of service attack in current guava version due to unbounded memory allocation. This was fixed in version 24.1.1 and above (also some back-fixes)
Which issue(s) this PR closes:
Closes https://github.com/IQSS/dataverse-security/issues/17
Special notes for your reviewer:the following libraries used in dataverse depend on guava: auto-service, org.everit.json.schema, tika, search box, xoai-common.
Suggestions on how to test this: It is related to code which uses the above listed libraries, but it should be a plug-in fix. I went though the guava release notes (https://github.com/google/guava/releases) between 16.0.1 and 29.0 are and there was only one potential breaking change listed. However, I checked the mvn repository pages for each library e.g. https://mvnrepository.com/artifact/org.everit.json/org.everit.json.schema/1.5.1 and 29.0-jre is listed as an update for the guava dependency on each page.
Does this PR introduce a user interface change? If mockups are available, please link/include them here:no
Is there a release notes update needed for this change?:no
Additional documentation:
https://nvd.nist.gov/vuln/detail/CVE-2018-10237
GHSA-mvr2-9pj6-7w5j