You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2020/12/05 10:51:32 UTC
[GitHub] [kafka] sirocchj opened a new pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
sirocchj opened a new pull request #9702:
URL: https://github.com/apache/kafka/pull/9702
One line change in `dependencies.gradle` to pick latest patched version of jackson 2.10.5 series (now in maintenance mode). This should likely be backported to 2.6.x and integrated in the 2.7.0-rc cycle
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] ijuma edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
ijuma edited a comment on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-745686953
I merged to trunk, 2.7, 2.6 and 2.5.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] niteshmor edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
niteshmor edited a comment on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-741973244
Thanks @sirocchj, you beat me to it for this upgrade request.
For older branches, these are the current versions of jackson databind in use:
```
2.1: 2.9.8
2.2: 2.10.0
2.3: 2.10.0
2.4: 2.10.0
2.5: 2.10.2
2.6: 2.10.2
2.7: 2.10.5
trunk: 2.10.5
```
Based on the comment [here](https://github.com/FasterXML/jackson-databind/issues/2589#issuecomment-714833837) and the release announcement [linked above](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10#micro-patches), there will not be a 2.10.2.1, and kafka 2.6 will need jackson upgrade from 2.10.2 => 2.10.5.1 to be free of this vulnerability.
Based on the recency of kafka versions and the required change in jackson version for kafka to be CVE free, may I recommend the following upgrade paths
```
2.1: 2.9.8 => x
2.2: 2.10.0 => x
2.3: 2.10.0 => x
2.4: 2.10.0 => x
2.5: 2.10.2 => 2.10.5.1
2.6: 2.10.2 => 2.10.5.1
2.7: 2.10.5 => 2.10.5.1
trunk: 2.10.5 => 2.10.5.1
```
(edit: updated tables to indicate 2.4 => 2.10.0, and not 2.10.5.)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
ijuma commented on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-741836921
cc @bbejeck @niteshmor
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
sirocchj commented on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-742027911
Sounds good to me @niteshmor
Want me to open them as separate PRs and as fast follows to this or what do you propose?
PS: I did see we needed to jump a few patch releases for 2.6. Hadn't noticed 2.4 was on 2.10.5 already though
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
niteshmor commented on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-741973244
Thanks @sirocchj, you beat me to it for this upgrade request.
For older branches, these are the current versions of jackson databind in use:
```
2.1: 2.9.8
2.2: 2.10.0
2.3: 2.10.0
2.4: 2.10.5
2.5: 2.10.2
2.6: 2.10.2
2.7: 2.10.5
trunk: 2.10.5
```
Based on the comment [here](https://github.com/FasterXML/jackson-databind/issues/2589#issuecomment-714833837) and the release announcement [linked above](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10#micro-patches), there will not be a 2.10.2.1, and kafka 2.6 will need jackson upgrade from 2.10.2 => 2.10.5.1 to be free of this vulnerability.
Based on the recency of kafka versions and the required change in jackson version for kafka to be CVE free, may I recommend the following upgrade paths
```
2.1: 2.9.8 => x
2.2: 2.10.0 => x
2.3: 2.10.0 => x
2.4: 2.10.5 => 2.10.5.1
2.5: 2.10.2 => 2.10.5.1
2.6: 2.10.2 => 2.10.5.1
2.7: 2.10.5 => 2.10.5.1
trunk: 2.10.5 => 2.10.5.1
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
sirocchj commented on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-742607711
> PS: I did see we needed to jump a few patch releases for 2.6 (and 2.5). Hadn't noticed 2.4 was on 2.10.5 already though
And indeed, unless I'm missing something, 2.4 seems to be on `2.10.0` not `2.10.5` (see https://github.com/apache/kafka/blob/2.4/gradle/dependencies.gradle#L74)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
niteshmor commented on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-742047238
> Sounds good to me @niteshmor
> Want me to open them as separate PRs and as fast follows to this or what do you propose?
This will really be a question for a reviewer (and what they think might be appropriate from a testing/cherry-picking perpective). People with context on this @ijuma @rhauch or @kkonstantine -- any opinions?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
ijuma commented on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-745686953
I merged to trunk and 2.7 branches. There were conflicts for older branches.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
niteshmor commented on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-742615616
> > PS: I did see we needed to jump a few patch releases for 2.6 (and 2.5). Hadn't noticed 2.4 was on 2.10.5 already though
>
> And indeed, unless I'm missing something, 2.4 seems to be on `2.10.0` not `2.10.5` (see https://github.com/apache/kafka/blob/2.4/gradle/dependencies.gradle#L74)
Yes, you are correct. Thank you for pointing it out. My local git copy had a slightly messed up 2.4 branch. Fixing the above tables.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] ijuma merged pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
ijuma merged pull request #9702:
URL: https://github.com/apache/kafka/pull/9702
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] sirocchj edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
sirocchj edited a comment on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-742027911
Sounds good to me @niteshmor
Want me to open them as separate PRs and as fast follows to this or what do you propose?
PS: I did see we needed to jump a few patch releases for 2.6 (and 2.5). Hadn't noticed 2.4 was on 2.10.5 already though
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1
Posted by GitBox <gi...@apache.org>.
ijuma commented on pull request #9702:
URL: https://github.com/apache/kafka/pull/9702#issuecomment-745466670
The build doesn't seem to complete for some reason. It happened twice in a row. It may be worth rebasing against trunk.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org