You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Alex Rudyy (JIRA)" <ji...@apache.org> on 2019/07/03 10:50:00 UTC

[jira] [Created] (QPID-8329) [Broker-J] Upgrade jackson dependencies to version 2.9.9

Alex Rudyy created QPID-8329:
--------------------------------

             Summary: [Broker-J] Upgrade jackson dependencies to version 2.9.9
                 Key: QPID-8329
                 URL: https://issues.apache.org/jira/browse/QPID-8329
             Project: Qpid
          Issue Type: Improvement
          Components: Broker-J
            Reporter: Alex Rudyy
             Fix For: qpid-java-broker-8.0.0


The CVE vulnerabilities CVE-2019-12086, CVE-2019-12384, CVE-2019-12814
have been reported against jackson-core and jackson-databind  versions 2.9.8.

The Apache Qpid Broker-J product itself is NOT AFFECTED by these vulnerabilities because Broker-J code never enables Jackson's
polymorphic deserialisation feature, specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or annotations that enable the feature.

Even though it is believed the vulnerability cannot be exploited, this Jira will upgrade the dependencies of Broker-J to versions of the jakson-core and jackson-databind that are not vulnerable to reported CVEs:
* jakson-core 2.9.9
* jackson-databind 2.9.9.1



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org