* CVE-2018-10237 Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. * CVE-2020-8908 A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.
Package list is empty or all packages have requested keywords.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6f1ad5edce356930cecb857d94a4fd58c7e9ee commit db6f1ad5edce356930cecb857d94a4fd58c7e9ee Author: Jeffrey Lin <jeffrey@icurse.nl> AuthorDate: 2021-06-19 03:58:45 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-19 02:36:46 +0000 dev-java/guava: add 30.1.1 Going back to SLOT 0 as upstream claims "APIs without `@Beta` will remain binary-compatible for the indefinite future." [1] [1]: https://github.com/google/guava#important-warnings Bug: https://bugs.gentoo.org/760111 Closes: https://bugs.gentoo.org/809974 Signed-off-by: Jeffrey Lin <jeffrey@icurse.nl> Closes: https://github.com/gentoo/gentoo/pull/21318 Signed-off-by: Sam James <sam@gentoo.org> dev-java/guava/Manifest | 1 + dev-java/guava/guava-30.1.1.ebuild | 58 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33275e7369fbcc1bb980d6f5e81d3e91e450a614 commit 33275e7369fbcc1bb980d6f5e81d3e91e450a614 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-06-17 11:43:29 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2022-06-17 13:50:13 +0000 dev-java/guava: drop 20.0, 20.0-r1 Closes: https://bugs.gentoo.org/833309 Closes: https://bugs.gentoo.org/657692 Bug: https://bugs.gentoo.org/760111 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/25940 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> dev-java/guava/Manifest | 1 - dev-java/guava/guava-20.0-r1.ebuild | 36 ------------------------------------ dev-java/guava/guava-20.0.ebuild | 36 ------------------------------------ 3 files changed, 73 deletions(-)
