You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@calcite.apache.org by "Alexey Roytman (JIRA)" <ji...@apache.org> on 2018/01/30 08:57:00 UTC
[jira] [Updated] (CALCITE-2154) upgrade jackson
[ https://issues.apache.org/jira/browse/CALCITE-2154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Roytman updated CALCITE-2154:
------------------------------------
Labels: cve security third-party (was: cve security)
> upgrade jackson
> ----------------
>
> Key: CALCITE-2154
> URL: https://issues.apache.org/jira/browse/CALCITE-2154
> Project: Calcite
> Issue Type: Bug
> Components: core
> Affects Versions: 1.15.0
> Reporter: Alexey Roytman
> Assignee: Julian Hyde
> Priority: Major
> Labels: cve, security, third-party
>
> Calcite now uses FasterXML Jackson 2.6.3 that has known security vulnerabilities:
> * CVE-2017-7525 is prone to a remote-code execution vulnerability.
> Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions.
> * CVE-2017-15095 describes more deserialization exploits for jackson-databind as a follow-up to CVE-2017-7525.
> * CVE-2017-17485 is about jackson-databind up to 2.9.3 allowing unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw.
> * CVE-2018-5968 is about jackson-databind up to 2.9.3 allowing unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws.
> Please upgrade to last version of FasterXML Jackson (on 2018-01-30 it's version 2.9.4).
> I hope that fixing pom.xml files and running tests is enough.
> (See also JIRA:CALCITE-1021, JIRA:KYLIN-3027)
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)