Issue2728
Created on 2019-01-03.09:33:52 by najibk, last changed 2019-07-21.05:47:33 by jeff.allen.
msg12252 (view) |
Author: (najibk) |
Date: 2019-01-03.09:33:52 |
|
Jython fails vulnerability check because of a vulnerability in the guava dependency.
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CVE-2018-10237 (https://nvd.nist.gov/vuln/detail/CVE-2018-10237)
Using jython-standalone 2.7.1 in a maven project
is there a way to update the version of guava in the jython jar ?
Thanks
|
msg12254 (view) |
Author: Stefan Richthofer (stefan.richthofer) |
Date: 2019-01-03.17:23:27 |
|
We usually upgrade all dependencies right before a new release, so this should fix for Jython 2.7.2.
You can build a custom Jython 2.7.1 or from current trunk:
- clone Jython repo (e.g. from git) or dowload sources of the deisred version, e.g. 2.7.1
- replace extlibs/guava-22.0-android.jar with the desired version.
In guava 22 it was necessary to use the android version (also for desktop) because of Java 7 compatibility. This is probably still the case for current guava, but I didn't look at it since Jython 2.7.1 release.
- search build.xml for guava-22.0-android.jar and replace it by the filename of the new version
- build via "ant build", "ant jar-standalone" or "ant installer" to get your favorit distribution variant
|
msg12278 (view) |
Author: Stefan Richthofer (stefan.richthofer) |
Date: 2019-01-05.14:50:09 |
|
Remarks:
- "from git" was supposed to be "from github" referring to our github mirror at https://github.com/jythontools/jython
- regarding "search build.xml for guava-22.0-android.jar" note that there are multiple occurrences that need to be handled
|
msg12288 (view) |
Author: (najibk) |
Date: 2019-01-07.12:37:06 |
|
Thanks for the reply, any idea on the ETA of the next version ?
|
msg12506 (view) |
Author: Jeff Allen (jeff.allen) |
Date: 2019-05-12.12:57:26 |
|
Fixed at https://hg.python.org/jython/rev/a1ae652df5e3
|
|
Date |
User |
Action |
Args |
2019-07-21 05:47:33 | jeff.allen | set | status: pending -> closed |
2019-05-12 12:57:26 | jeff.allen | set | status: open -> pending resolution: remind -> fixed messages:
+ msg12506 |
2019-05-11 17:38:55 | jeff.allen | set | assignee: jeff.allen nosy:
+ jeff.allen |
2019-01-07 12:37:06 | najibk | set | messages:
+ msg12288 |
2019-01-05 14:50:09 | stefan.richthofer | set | messages:
+ msg12278 |
2019-01-05 05:50:01 | jeff.allen | set | priority: normal milestone: Jython 2.7.1 -> Jython 2.7.2 |
2019-01-03 17:23:27 | stefan.richthofer | set | resolution: remind messages:
+ msg12254 nosy:
+ stefan.richthofer |
2019-01-03 09:33:52 | najibk | create | |
|