[GHSA-crjg-w57m-rqqf] DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks#4787
Conversation
|
Hi there @ibauersachs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
@amita-seal, I assume this is the change log entry |
|
While the proposed change is technically correct (and the referenced PR), it would require to flag org.jitsi:dnssecjava (all versions, won't fix since it's archived) instead. |
|
@ibauersachs not sure I follow. Are you saying that all versions of Is that in addition to the artifact |
|
Yes, that is in addition to dnsjava >= 3.5.0. I thought I did that already when I released the bulletins. It's possible I couldn't do that though, and thus left dnsjava marked as vulnerable including versions before 3.5 since that indirectly points users to migrate to the fixed dnsjava version. |
|
OK cool. Many thanks for the clarification. I'll set The affected products will show Many thanks to both of you :) For the sake of future readers |
|
Hi @amita-seal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
Based on dnsjava/dnsjava@07ac36a and dnsjava/dnsjava@3ddc45c
Vulnerability is irrelevant to the origin version, the fix is in
dnssecfolder, which was only added in version 3.5, as per changelog