Message12252

Author	najibk
Recipients	najibk
Date	2019-01-03.09:33:52
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1546508032.54.0.678331415143.issue2728@roundup.psfhosted.org>
In-reply-to

Content
Jython fails vulnerability check because of a vulnerability in the guava dependency. Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. CVE-2018-10237 (https://nvd.nist.gov/vuln/detail/CVE-2018-10237) Using jython-standalone 2.7.1 in a maven project is there a way to update the version of guava in the jython jar ? Thanks

Jython fails vulnerability check because of a vulnerability in the guava dependency.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

CVE-2018-10237 (https://nvd.nist.gov/vuln/detail/CVE-2018-10237)

Using jython-standalone 2.7.1 in a maven project

is there a way to update the version of guava in the jython jar ?

Thanks

History
Date	User	Action	Args
2019-01-03 09:33:54	najibk	set	recipients: + najibk
2019-01-03 09:33:52	najibk	set	messageid: <1546508032.54.0.678331415143.issue2728@roundup.psfhosted.org>
2019-01-03 09:33:52	najibk	link	issue2728 messages
2019-01-03 09:33:52	najibk	create