Issue2728

classification
Title: jython-standalone 2.7.1 fails vulnerability check because of guava 22
Type: security Severity: urgent
Components: Library Versions: Jython 2.7
Milestone: Jython 2.7.2
process
Status: open Resolution: remind
Dependencies: Superseder:
Assigned To: Nosy List: najibk, stefan.richthofer
Priority: normal Keywords:

Created on 2019-01-03.09:33:52 by najibk, last changed 2019-01-07.12:37:06 by najibk.

Messages
msg12252 (view) Author: (najibk) Date: 2019-01-03.09:33:52
Jython fails vulnerability check because of a vulnerability in the guava dependency.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

CVE-2018-10237 (https://nvd.nist.gov/vuln/detail/CVE-2018-10237)

Using jython-standalone 2.7.1 in a maven project

is there a way to update the version of guava in the jython jar ?

Thanks
msg12254 (view) Author: Stefan Richthofer (stefan.richthofer) Date: 2019-01-03.17:23:27
We usually upgrade all dependencies right before a new release, so this should fix for Jython 2.7.2.

You can build a custom Jython 2.7.1 or from current trunk:

- clone Jython repo (e.g. from git) or dowload sources of the deisred version, e.g. 2.7.1

- replace extlibs/guava-22.0-android.jar with the desired version.
In guava 22 it was necessary to use the android version (also for desktop) because of Java 7 compatibility. This is probably still the case for current guava, but I didn't look at it since Jython 2.7.1 release.

- search build.xml for guava-22.0-android.jar and replace it by the filename of the new version

- build via "ant build", "ant jar-standalone" or "ant installer" to get your favorit distribution variant
msg12278 (view) Author: Stefan Richthofer (stefan.richthofer) Date: 2019-01-05.14:50:09
Remarks:

- "from git" was supposed to be "from github" referring to our github mirror at https://github.com/jythontools/jython

- regarding "search build.xml for guava-22.0-android.jar" note that there are multiple occurrences that need to be handled
msg12288 (view) Author: (najibk) Date: 2019-01-07.12:37:06
Thanks for the reply, any idea on the ETA of the next version ?
History
Date User Action Args
2019-01-07 12:37:06najibksetmessages: + msg12288
2019-01-05 14:50:09stefan.richthofersetmessages: + msg12278
2019-01-05 05:50:01jeff.allensetpriority: normal
milestone: Jython 2.7.1 -> Jython 2.7.2
2019-01-03 17:23:27stefan.richthofersetresolution: remind
messages: + msg12254
nosy: + stefan.richthofer
2019-01-03 09:33:52najibkcreate