Blog

This is the right place to check for product updates and company news
Blog
September 18, 2024

Make sure you update to S/Notify 4.1

We would like to note that we have updated the Bouncy Castle crypto library in S/Notify 4.1, and that this version of the library fixes flaws that may lead to high CPU usage or even a DoS (Denial of Service) under certain circumstances. The following CVEs have been addressed and may be relevant for its use within S/Notify:

  • CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
  • CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.

Note that especially CVE-2024-30172 could be used for DoS (Denial of Service) attack. This is particularly true if you allow user uploads or, in Jira, the extraction and use of certificates or keys from incoming email.

Therefore, we recommend all customers to plan a short-term update to S/Notify for Jira 4.1, S/Notify for Confluence 4.1 and/or S/Notify for Bitbucket 2.1 if they haven't already.

© 2007-2024 by savignano software solutions
crossmenuchevron-down