RHSA-2021:3225: Moderate: Red Hat AMQ Streams 1.8.0 release and security update

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 1.8.0 serves as a replacement for Red Hat AMQ Streams 1.7.0, and includes security and bug fixes, and enhancements.Security Fix(es): snakeyaml: Billion laughs attack via alias feature (CVE-2017-18640) netty: Information disclosure via the local system temporary directory (CVE-2021-21290) netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295) netty: Request smuggling via content-length header (CVE-2021-21409) json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568) jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163) jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164) jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165) jersey: Local information disclosure via system temporary directory (CVE-2021-28168) jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169) apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425) jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.