Apache Johnzon – Reporting New Security Problems with Apache Johnzon

<!DOCTYPE html>  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="Date-Revision-yyyymmdd" content="20240401" /> <meta http-equiv="Content-Language" content="en" /> <title>Apache Johnzon – Reporting New Security Problems with Apache Johnzon</title> <link rel="stylesheet" href="./css/apache-maven-fluido-1.5.min.css" /> <link rel="stylesheet" href="./css/site.css" /> <link rel="stylesheet" href="./css/print.css" media="print" /> <script type="text/javascript" src="./js/apache-maven-fluido-1.5.min.js"></script> <script type="text/javascript"> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-3211522-15', 'apache.org'); ga('send', 'pageview'); </script> </head> <body class="topBarEnabled"> <div id="topbar" class="navbar navbar-fixed-top "> <div class="navbar-inner"> <div class="container-fluid"> <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar"> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </a> <a class="brand" href="index.html" title="Apache Johnzon"> Apache Johnzon </a> <ul class="nav"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">User Guide <b class="caret"></b></a> <ul class="dropdown-menu"> <li> <a href="index.html" title="Home">Home</a> </li> <li> <a href="download.html" title="Download">Download</a> </li> <li> <a href="apidocs/index.html" title="Javadoc">Javadoc</a> </li> <li> <a href="scm.html" title="Source Code">Source Code</a> </li> <li> <a href="changelog.html" title="Changelog">Changelog</a> </li> <li> <a href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a> </li> </ul> </li> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Old Releases <b class="caret"></b></a> <ul class="dropdown-menu"> <li> <a href="archives/0.7-incubating/index.html" title="Johnzon 0.7-incubating">Johnzon 0.7-incubating</a> </li> <li> <a href="archives/0.2-incubating/index.html" title="Johnzon 0.2-incubating">Johnzon 0.2-incubating</a> </li> <li> <a href="archives/0.1-incubating/index.html" title="Johnzon 0.1-incubating">Johnzon 0.1-incubating</a> </li> </ul> </li> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Project Documentation <b class="caret"></b></a> <ul class="dropdown-menu"> <li class="dropdown-submenu"> <a href="project-info.html" title="Project Information">Project Information</a> <ul class="dropdown-menu"> <li> <a href="ci-management.html" title="CI Management">CI Management</a> </li> <li> <a href="dependencies.html" title="Dependencies">Dependencies</a> </li> <li> <a href="dependency-convergence.html" title="Dependency Convergence">Dependency Convergence</a> </li> <li> <a href="dependency-info.html" title="Dependency Information">Dependency Information</a> </li> <li> <a href="dependency-management.html" title="Dependency Management">Dependency Management</a> </li> <li> <a href="distribution-management.html" title="Distribution Management">Distribution Management</a> </li> <li> <a href="index.html" title="About">About</a> </li> <li> <a href="issue-management.html" title="Issue Management">Issue Management</a> </li> <li> <a href="licenses.html" title="Licenses">Licenses</a> </li> <li> <a href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a> </li> <li> <a href="modules.html" title="Project Modules">Project Modules</a> </li> <li> <a href="plugin-management.html" title="Plugin Management">Plugin Management</a> </li> <li> <a href="plugins.html" title="Plugins">Plugins</a> </li> <li> <a href="scm.html" title="Source Code Management">Source Code Management</a> </li> <li> <a href="summary.html" title="Summary">Summary</a> </li> <li> <a href="team.html" title="Team">Team</a> </li> </ul> </li> <li class="dropdown-submenu"> <a href="project-reports.html" title="Project Reports">Project Reports</a> <ul class="dropdown-menu"> <li> <a href="pmd.html" title="PMD">PMD</a> </li> <li> <a href="cpd.html" title="CPD">CPD</a> </li> <li> <a href="apidocs/index.html" title="Javadoc">Javadoc</a> </li> <li> <a href="surefire-report.html" title="Surefire">Surefire</a> </li> <li> <a href="checkstyle.html" title="Checkstyle">Checkstyle</a> </li> <li> <a href="dependency-updates-report.html" title="Dependency Updates Report">Dependency Updates Report</a> </li> <li> <a href="plugin-updates-report.html" title="Plugin Updates Report">Plugin Updates Report</a> </li> <li> <a href="property-updates-report.html" title="Property Updates Report">Property Updates Report</a> </li> <li> <a href="taglist.html" title="Tag List">Tag List</a> </li> <li> <a href="changelog.html" title="Change Log">Change Log</a> </li> <li> <a href="file-activity.html" title="File Activity">File Activity</a> </li> <li> <a href="dev-activity.html" title="Developer Activity">Developer Activity</a> </li> <li> <a href="jira-report.html" title="JIRA Report">JIRA Report</a> </li> </ul> </li> </ul> </li> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Security <b class="caret"></b></a> <ul class="dropdown-menu"> <li> <a href="security.html" title="Report vulnerability">Report vulnerability</a> </li> </ul> </li> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown">ASF <b class="caret"></b></a> <ul class="dropdown-menu"> <li> <a href="http://www.apache.org/foundation/how-it-works.html" title="How Apache Works">How Apache Works</a> </li> <li> <a href="http://www.apache.org/foundation/" title="Foundation">Foundation</a> </li> <li> <a href="http://www.apache.org/foundation/sponsorship.html" title="Sponsoring Apache">Sponsoring Apache</a> </li> <li> <a href="http://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a> </li> </ul> </li> </ul> </div> </div> </div> </div> <div class="container-fluid"> <div id="banner"> <div class="pull-left"> <a href="index.html" id="bannerLeft" title="Apache Johnzon"> <h2>Apache Johnzon</h2> </a> </div> <div class="pull-right"> <div id="bannerRight"> <img src="images/johnzon_logo.png" width="180"/> </div> </div> <div class="clear"><hr/></div> </div> <div id="breadcrumbs"> <ul class="breadcrumb"> <li id="publishDate">Last Published: 2024-04-01 <span class="divider">|</span> </li> <li id="projectVersion">Version: 2.0.2-SNAPSHOT </li> </ul> </div> <div class="row-fluid"> <div id="leftColumn" class="span2"> <div class="well sidebar-nav"> <ul class="nav nav-list"> <li class="nav-header">User Guide</li> <li> <a href="index.html" title="Home"> <span class="none"></span> Home</a> </li> <li> <a href="download.html" title="Download"> <span class="none"></span> Download</a> </li> <li> <a href="apidocs/index.html" title="Javadoc"> <span class="none"></span> Javadoc</a> </li> <li> <a href="scm.html" title="Source Code"> <span class="none"></span> Source Code</a> </li> <li> <a href="changelog.html" title="Changelog"> <span class="none"></span> Changelog</a> </li> <li> <a href="mailing-lists.html" title="Mailing Lists"> <span class="none"></span> Mailing Lists</a> </li> <li class="nav-header">Old Releases</li> <li> <a href="archives/0.7-incubating/index.html" title="Johnzon 0.7-incubating"> <span class="none"></span> Johnzon 0.7-incubating</a> </li> <li> <a href="archives/0.2-incubating/index.html" title="Johnzon 0.2-incubating"> <span class="none"></span> Johnzon 0.2-incubating</a> </li> <li> <a href="archives/0.1-incubating/index.html" title="Johnzon 0.1-incubating"> <span class="none"></span> Johnzon 0.1-incubating</a> </li> <li class="nav-header">Project Documentation</li> <li> <a href="project-info.html" title="Project Information"> <span class="icon-chevron-right"></span> Project Information</a> </li> <li> <a href="project-reports.html" title="Project Reports"> <span class="icon-chevron-right"></span> Project Reports</a> </li> <li class="nav-header">Security</li> <li class="active"> <a href="#"><span class="none"></span>Report vulnerability</a> </li> <li class="nav-header">ASF</li> <li> <a href="http://www.apache.org/foundation/how-it-works.html" class="externalLink" title="How Apache Works"> <span class="none"></span> How Apache Works</a> </li> <li> <a href="http://www.apache.org/foundation/" class="externalLink" title="Foundation"> <span class="none"></span> Foundation</a> </li> <li> <a href="http://www.apache.org/foundation/sponsorship.html" class="externalLink" title="Sponsoring Apache"> <span class="none"></span> Sponsoring Apache</a> </li> <li> <a href="http://www.apache.org/foundation/thanks.html" class="externalLink" title="Thanks"> <span class="none"></span> Thanks</a> </li> </ul> <hr /> <div id="poweredBy"> <div class="clear"></div> <div class="clear"></div> <div class="clear"></div> <div class="clear"></div> <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"> <img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /> </a> </div> </div> </div> <div id="bodyColumn" class="span10" >  <h1>Reporting New Security Problems with Apache Johnzon</h1> <p>The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against Apache projects.</p> <p>We strongly encourage folks to report such problems to the <a class="externalLink" href="http://www.apache.org/security/">private security mailing list</a> first, before disclosing them in a public forum.</p> <p>Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities in Apache projects and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other queries at this address. All mail sent to this address that does not relate to an undisclosed security problem will be ignored.</p> <p>If you need to report a bug that isn't an undisclosed security vulnerability, please use the <a class="externalLink" href="https://issues.apache.org/jira/browse/JOHNZON">bug reporting</a> system.</p> <p>###Questions about:</p> <ul> <li>how to configure Johnzon securely</li> <li>if a vulnerability applies to your particular application</li> <li>obtaining further information on a published vulnerability</li> <li>availability of patches and/or new releases</li> </ul> <p>should be addressed to the <a class="externalLink" href="http://johnzon.apache.org/mail-lists.html">mailing list</a>.</p> <p>The private security mailing address is: security (at) apache (dot) org</p><section> <h2><a name="BigInteger_and_Java"></a>BigInteger and Java</h2> <p>JSON-P/JSON-B exposes API using <code>BigDecimal</code> and <code>BigInteger</code>. The bridge between these two types is <code>BigDecimal#toBigInteger</code> which has a slow implementation in Java without careness or scale max validation.</p> <p>Johnzon does some sanity checks on this value but at some point we recommend you to stay away from these API and handle big numbers using <code>String</code> type and parse them yourself since you are the only ones knowing the correct functional and relevant validation of the scale before a instantiation.</p> <p>If you know you don't need such big types, prefer using plain primitives (or wrappers).</p></section> </div> </div> </div> <hr/> <footer> <div class="container-fluid"> <div class="row-fluid"> <div class="row span16"><div>Apache Johnzon, Apache, the Apache feather logo, and the Apache Johnzon project logos are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div> <a href="https://johnzon.apache.org/privacy-policy.html">Privacy Policy</a> </div> </div> <div id="ohloh" class="pull-right"> <script type="text/javascript" src="https://www.ohloh.net/p/apache-johnzon/widgets/project_basic_stats.js"></script> </div> </div> </footer> </body> </html>

CINXE.COM

Apache Johnzon – Reporting New Security Problems with Apache Johnzon