ANNOUNCE: Akka 2.4.20 (security patch)

[Patrik Nordwall]

Dear hakkers,

We are pleased to announce a new patch release of Akka 2.4.

Users of akka-camel are recommended to update to Camel version 2.17.7 and akka-camel 2.4.20 due to a security vulnerability in Camel, see below.

3 issues were closed since 2.4.19. The complete list can be found on the 2.4.20 milestone on github.

Security vulnerability in Camel dependency

akka-camel had a dependency to camel-core 2.13.4 and that version of Camel’s Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in CVE-2017-5643. Therefore we have updated the Camel dependency to version 2.17.7 in Akka 2.5.4 and 2.4.20. If you are using akka-camel you should also update your dependencies of other Camel modules to 2.17.7.

This update of Camel version might cause that akka-camel is not fully backwards compatible with prior versions. We didn’t have to change the source code when updating but there might be changes in Camel that we are not aware of. It’s recommended that you recompile and test your applications and libraries when doing this update.

We would like to thank Thomas Szymanski for bringing this issue to our attention.

Credits

For this release we had the help of 5 committers – thank you all very much!

commits  added  removed

     2    167      128 Patrik Nordwall

     2     10       10 Thomas Szymanski

     1    174       21 Kirill Yankov

     1     95       34 Johannes Rudolph

     1     26        0 Arnout Engelen

Happy hakking!

– The Akka Team

Lightbend -  Reactive apps on the JVM