Dear hakkers,
We are pleased to announce a new patch release of Akka 2.4.
Users of akka-camel are recommended to update to Camel version 2.17.7 and akka-camel 2.4.20 due to a security vulnerability in Camel, see below.
3 issues were closed since 2.4.19. The complete list can be found on the 2.4.20 milestone on github.
Security vulnerability in Camel dependency
akka-camel had a dependency to camel-core 2.13.4 and that version of Camel’s Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in CVE-2017-5643. Therefore we have updated the Camel dependency to version 2.17.7 in Akka 2.5.4 and 2.4.20. If you are using akka-camel you should also update your dependencies of other Camel modules to 2.17.7.
This update of Camel version might cause that akka-camel is not fully backwards compatible with prior versions. We didn’t have to change the source code when updating but there might be changes in Camel that we are not aware of. It’s recommended that you recompile and test your applications and libraries when doing this update.
We would like to thank Thomas Szymanski for bringing this issue to our attention.
Credits
For this release we had the help of 5 committers – thank you all very much!
commits added removed
2 167 128 Patrik Nordwall
2 10 10 Thomas Szymanski
1 174 21 Kirill Yankov
1 95 34 Johannes Rudolph
1 26 0 Arnout Engelen
Happy hakking!
– The Akka Team