A vulnerability has been discovered in protobuf-java which could result in denial of service.
|Package||dev-java/protobuf-java on all architectures|
|Affected versions||< 3.20.3|
|Unaffected versions||>= 3.20.3|
protobuf-java contains the Java bindings for Google's Protocol Buffers.
Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Crafted input can trigger a denial of service via long garbage collection pauses.
There is no known workaround at this time.
All protobuf-java users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/protobuf-java-3.20.3"
January 11, 2023
January 11, 2023: 1