[CVE-2018-10237]: Upgrade guava to 24.1.1-jre
This upgrade fixes CVE-2018-10237 [1]: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker- provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. [1] https://nvd.nist.gov/vuln/detail/CVE-2018-10237 This also adds dependency on j2objc-annotations to prevent the following warning during the build: INFO: From Building java/com/google/gerrit/lucene/liblucene.jar (12 source files): warning: unknown enum constant ReflectionSupport$Level.FULL reason: class file for com.google.j2objc.annotations.ReflectionSupport$Level not found Bug: Issue 9952 Change-Id: Iea79ee7d93c4b7c85479b5ec01ee07e19beed611
This commit is contained in:
parent
ec46d92a77
commit
b0618f9b94
|
@ -219,6 +219,12 @@ maven_jar(
|
|||
sha1 = GUAVA_BIN_SHA1,
|
||||
)
|
||||
|
||||
maven_jar(
|
||||
name = "j2objc",
|
||||
artifact = "com.google.j2objc:j2objc-annotations:1.1",
|
||||
sha1 = "ed28ded51a8b1c6b112568def5f4b455e6809019",
|
||||
)
|
||||
|
||||
maven_jar(
|
||||
name = "velocity",
|
||||
artifact = "org.apache.velocity:velocity:1.7",
|
||||
|
|
12
lib/BUILD
12
lib/BUILD
|
@ -75,11 +75,21 @@ java_library(
|
|||
runtime_deps = [":protobuf"],
|
||||
)
|
||||
|
||||
java_library(
|
||||
name = "j2objc",
|
||||
data = ["//lib:LICENSE-Apache2.0"],
|
||||
visibility = ["//visibility:public"],
|
||||
exports = ["@j2objc//jar"],
|
||||
)
|
||||
|
||||
java_library(
|
||||
name = "guava",
|
||||
data = ["//lib:LICENSE-Apache2.0"],
|
||||
visibility = ["//visibility:public"],
|
||||
exports = ["@guava//jar"],
|
||||
exports = [
|
||||
":j2objc",
|
||||
"@guava//jar",
|
||||
],
|
||||
)
|
||||
|
||||
java_library(
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
GUAVA_VERSION = "22.0"
|
||||
GUAVA_VERSION = "24.1.1-jre"
|
||||
|
||||
GUAVA_BIN_SHA1 = "3564ef3803de51fb0530a8377ec6100b33b0d073"
|
||||
GUAVA_BIN_SHA1 = "2e3014320a8005e3f3c1800cb246ed42db8cab81"
|
||||
|
||||
GUAVA_DOC_URL = "https://google.github.io/guava/releases/" + GUAVA_VERSION + "/api/docs/"
|
||||
|
|
Loading…
Reference in New Issue