[CVE-2018-10237]: Upgrade guava to 24.1.1-jre

This upgrade fixes CVE-2018-10237 [1]:

  Unbounded memory allocation in Google Guava 11.0 through 24.x before
  24.1.1 allows remote attackers to conduct denial of service attacks
  against servers that depend on this library and deserialize attacker-
  provided data, because the AtomicDoubleArray class (when serialized
  with Java serialization) and the CompoundOrdering class (when
  serialized with GWT serialization) perform eager allocation without
  appropriate checks on what a client has sent and whether the data size
  is reasonable.

[1] https://nvd.nist.gov/vuln/detail/CVE-2018-10237

This also adds dependency on j2objc-annotations to prevent the following
warning during the build:

  INFO: From Building java/com/google/gerrit/lucene/liblucene.jar (12 source files):
  warning: unknown enum constant ReflectionSupport$Level.FULL
  reason: class file for com.google.j2objc.annotations.ReflectionSupport$Level not found

Bug: Issue 9952
Change-Id: Iea79ee7d93c4b7c85479b5ec01ee07e19beed611

This commit is contained in:

David Pursehouse

2018-11-01 15:46:39 +09:00

parent ec46d92a77

commit b0618f9b94

3 changed files with 19 additions and 3 deletions

									
										6

WORKSPACE
									
												View File
												
				@@ -219,6 +219,12 @@ maven_jar(

				    sha1 = GUAVA_BIN_SHA1,

				)

				maven_jar(

				    name = "j2objc",

				    artifact = "com.google.j2objc:j2objc-annotations:1.1",

				    sha1 = "ed28ded51a8b1c6b112568def5f4b455e6809019",

				)

				maven_jar(

				    name = "velocity",

				    artifact = "org.apache.velocity:velocity:1.7",

[CVE-2018-10237]: Upgrade guava to 24.1.1-jre

6 WORKSPACE Unescape Escape View File

6

WORKSPACE

View File