Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix #15865

Closed
mn-mikke opened this issue Oct 24, 2023 · 0 comments · Fixed by #15866
Closed

Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix #15865

mn-mikke opened this issue Oct 24, 2023 · 0 comments · Fixed by #15866
Assignees
@mn-mikke
Milestone
3.44.0.2

Comments

@mn-mikke
Copy link
Collaborator

Support ticket: https://support.h2o.ai/a/tickets/106681

Reported vulnerability:

— Use After Free [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBJNR-1570422] in com.github.jnr:jnr-posix@3.0.23
    introduced by unknown:/opt/.venv/lib/python3.11/site-packages/h2o/backend/bin/h2o.jar@unknown > com.github.jnr:jnr-posix@3.0.23

It looks that com.github.jnr:jnr-posix dependency is brought to h2o.jar via org.python:jython. Although gradle doesn't see the dependency:

./gradlew :h2o-assemblies:main:dependencyInsight --dependency jnr-posix --configuration runtimeClasspath

> Task :h2o-assemblies:main:dependencyInsight
No dependencies matching given input were found in configuration ':h2o-assemblies:main:runtimeClasspath'

jnr-posix seems to be jython dependency. From META-INF/maven/com.github.jnr/jnr-posix/pom.properties inside Jython jar:

#Generated by Maven
#Thu Nov 12 15:35:48 CST 2015
version=3.0.23
groupId=com.github.jnr
artifactId=jnr-posix
@mn-mikke mn-mikke added this to the 3.44.0.2 milestone Oct 24, 2023
@mn-mikke mn-mikke self-assigned this Oct 24, 2023
mn-mikke added a commit that referenced this issue Oct 24, 2023
@mn-mikke
[GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr…
5f534e3 
…-posix
@mn-mikke mn-mikke mentioned this issue Oct 24, 2023
Merged
mn-mikke added a commit that referenced this issue Oct 27, 2023
@mn-mikke
[GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr…
e7b77fb 
…-posix
mn-mikke added a commit that referenced this issue Oct 30, 2023
@mn-mikke
[GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr…
cd38506 
…-posix (overriding org.python.core.imp class from Jython with custom changes, search for CUSTOM CHANGE) (#15866)

* [GH-15865] Upgrade org.python:jython to CWE-416 of com.github.jnr:jnr-posix

* Override jython class

* Add Jython version check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mn-mikke mn-mikke

Labels
None yet
Projects
None yet
Milestone
3.44.0.2
1 participant
@mn-mikke