qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-8279) [Broker-J] Upgrade Jackson dependencies
Date Sat, 16 Feb 2019 02:01:00 GMT

    [ https://issues.apache.org/jira/browse/QPID-8279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16769968#comment-16769968
] 

ASF subversion and git services commented on QPID-8279:
-------------------------------------------------------

Commit c79986ee99cb5c73c64f85c43645c63938369912 in qpid-broker-j's branch refs/heads/master
from Alex Rudyy
[ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=c79986e ]

QPID-8279: [Broker-J] Upgrade Jackson dependencies


> [Broker-J] Upgrade Jackson dependencies
> ---------------------------------------
>
>                 Key: QPID-8279
>                 URL: https://issues.apache.org/jira/browse/QPID-8279
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-7.0.3, qpid-java-broker-7.0.2, qpid-java-broker-7.0.0,
qpid-java-broker-7.0.1, qpid-java-broker-7.1.0, qpid-java-broker-7.0.4, qpid-java-broker-7.0.5,
qpid-java-broker-7.0.6
>            Reporter: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-broker-7.0.7, qpid-java-broker-8.0.0, qpid-java-broker-7.1.1
>
>
> The CVE vulnerabilities [14718|https://nvd.nist.gov/vuln/detail/CVE-2018-14718], [CVE-2018-14719|https://nvd.nist.gov/vuln/detail/CVE-2018-14719],
[CVE-2018-14720|https://nvd.nist.gov/vuln/detail/CVE-2018-14720], [CVE-2018-14721|https://nvd.nist.gov/vuln/detail/CVE-2018-14721]
have been reported against jackson-databind library 2.x versions below 2.9.7.
> Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that
is affected by the vulnerability, it is believed that Apache Qpid Broker-J product itself
is NOT AFFECTED by this vulnerability.  This is because Broker-J code never enables Jackson's
> polymorphic deserialisation features: specifically it never makes calls to ObjectMapper#enableDefaultTyping(...)
nor does it use TypeResolverBuilders or annotations that enable the feature.
> Though Apache Qpid Broker-J is not affected by the vulnerabilities, this JIRA will upgrade
the dependencies of Broker-J to versions of the jackson-databind dependencies that are not
vulnerable:
>  * master (upgrade from 2.9.5 to 2.9.8)
>  * 7.1.x (upgrade from  2.9.5 to 2.9.8)
>  * 7.0.x (upgrade from 2.8.11.1 to  2.8.11.3)
> Please note that no upgrade of jackson-databind dependencies will be done for 6.0.x and
6.1.x versions. The 6.0.x and 6.1.x brokers can be upgraded to 7.1.x.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message