Issue2728

Jython fails vulnerability check because of a vulnerability in the guava dependency.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

CVE-2018-10237 (https://nvd.nist.gov/vuln/detail/CVE-2018-10237)

Using jython-standalone 2.7.1 in a maven project

is there a way to update the version of guava in the jython jar ?

Thanks

We usually upgrade all dependencies right before a new release, so this should fix for Jython 2.7.2.

You can build a custom Jython 2.7.1 or from current trunk:

- clone Jython repo (e.g. from git) or dowload sources of the deisred version, e.g. 2.7.1

- replace extlibs/guava-22.0-android.jar with the desired version.
In guava 22 it was necessary to use the android version (also for desktop) because of Java 7 compatibility. This is probably still the case for current guava, but I didn't look at it since Jython 2.7.1 release.

- search build.xml for guava-22.0-android.jar and replace it by the filename of the new version

- build via "ant build", "ant jar-standalone" or "ant installer" to get your favorit distribution variant

Remarks:

- "from git" was supposed to be "from github" referring to our github mirror at https://github.com/jythontools/jython

- regarding "search build.xml for guava-22.0-android.jar" note that there are multiple occurrences that need to be handled

Thanks for the reply, any idea on the ETA of the next version ?

Fixed at https://hg.python.org/jython/rev/a1ae652df5e3