diff options
| author | Johannes Rudolph <johannes.rudolph@gmail.com> | 2018-11-08 14:13:48 +0100 |
|---|---|---|
| committer | Johannes Rudolph <johannes.rudolph@gmail.com> | 2018-11-08 14:13:48 +0100 |
| commit | bfaf2451409201e91ccbb447041e9c26ba122918 (patch) | |
| tree | 28c0db2cb9f1b3fbbc621362131d51709d11c667 | |
| parent | 62520d75a40a140130a8dac7c387ac7cf0c69e80 (diff) | |
| download | spray-json-bfaf2451409201e91ccbb447041e9c26ba122918.tar.gz spray-json-bfaf2451409201e91ccbb447041e9c26ba122918.tar.bz2 spray-json-bfaf2451409201e91ccbb447041e9c26ba122918.zip | |
Add 1.3.5 release notesv1.3.5
| -rw-r--r-- | CHANGELOG | 29 |
1 files changed, 29 insertions, 0 deletions
@@ -1,3 +1,32 @@ +Version 1.3.5 (2017-10-24) +-------------------------- + +Security fix for several Denial Of Service vulnerabilities: + +- CVE-2018-18853: Limit the number of characters for numbers in the parser (#278) +- CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277) +- CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286) + +Thanks, [Andriy Plokhotnyuk](https://github.com/plokhotnyuk) who brought the first two issues to +our attention. + +## Migration Notes + +For some fixes, we added new limits to the parser: + + * Maximum depth of nested JSON values, defaults to 1000 + * Maximum characters for number values, defaults to 100 + +We introduced a `JsonParserSettings` class which can be used to customize these limits. +New overloads for `JsonParser.apply` and `String.parseJson` have been introduced to specify +custom settings. + +Version 1.3.4 (2017-10-24) +-------------------------- + +- Replace ClassManifest by ClassTag +- Deprecate Pimp* classes and replace by Rich* + Version 1.3.3 (2016-12-29) -------------------------- |