Upgrade to Guava 24.1+
brusdev opened this issue · comments
Google Guava versions 11.0 through 24.1 are vulnerable to unbounded memory allocation in the AtomicDoubleArray class (when serialized with Java serialization) and Compound Ordering class (when serialized with GWT serialization). An attacker could exploit applications that use Guava and deserialize untrusted data to cause a denial of service. Could you upgrade guava to version 24.1 or above?
For anyone following this, Airline itself does not use AtomicDoubleArray, so this is not a security concern for Airline users. We understand that upgrading the Airline library will make it easier for others to upgrade.
Yes, this is the point. It is hard to update Google Guava in a project if you use Google Guava and Airline at the same time.
@brusdev Keep in mind that due to
- Guava being a very widely used library ("everything depends on Guava") and
- Guava versioning aggressively deprecating methods, making many even adjacent versions incompatible for some users
one can not always "just upgrade Guava dependency to latest". This is why libraries at lower level in the stack including Airline) are often more conservative wrt baseline version they use.
But as long as Airline itself works fine with wider range of versions it should not be necessary to increase the version to latest; it may make sense to gradually increase baseline over time and releases.
Airline works fine with newer versions of Guava. We use it in Presto with Guava 26
That makes sense, thank you for clarification.
Note that Guava changed their policy on deprecation after Guava 21:
APIs without
@Beta
will remain binary-compatible for the indefinite future.
Airline should not be using any @Beta
APIs. Most of the usages are collections, plus a few things like Preconditions
and MoreObjects
.
Thank you, Airline 0.8 works fine with Guava 24.1.