You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2022/11/10 00:36:15 UTC

[GitHub] [kafka] pratimsc opened a new pull request, #12840: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004

pratimsc opened a new pull request, #12840:
URL: https://github.com/apache/kafka/pull/12840

   Updated the Jackson libraries for mitigating CVEs fixed under release `2.13.4` , ref: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.4
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] pratimsc commented on a diff in pull request #12840: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004

Posted by GitBox <gi...@apache.org>.

pratimsc commented on code in PR #12840:
URL: https://github.com/apache/kafka/pull/12840#discussion_r1020162892


##########
LICENSE-binary:
##########
@@ -208,18 +208,18 @@ License Version 2.0:
 audience-annotations-0.5.0
 commons-cli-1.4
 commons-lang3-3.12.0
-jackson-annotations-2.13.3
-jackson-core-2.13.3
-jackson-databind-2.13.3
-jackson-dataformat-csv-2.13.3
-jackson-dataformat-yaml-2.13.3
-jackson-datatype-jdk8-2.13.3
-jackson-datatype-jsr310-2.13.3
-jackson-jaxrs-base-2.13.3
-jackson-jaxrs-json-provider-2.13.3
-jackson-module-jaxb-annotations-2.13.3
-jackson-module-scala_2.13-2.13.3
-jackson-module-scala_2.12-2.13.3
+jackson-annotations-2.13.4
+jackson-core-2.13.4
+jackson-databind-2.13.4

Review Comment:
   It's such a shame, that I forgot to push the update. I have pushed it now. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] pratimsc commented on pull request #12840: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004

Posted by GitBox <gi...@apache.org>.

pratimsc commented on PR #12840:
URL: https://github.com/apache/kafka/pull/12840#issuecomment-1315193071

   Hi @showuon - any more action required from me? Or is this PR good to merge?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] showuon commented on a diff in pull request #12840: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004

Posted by GitBox <gi...@apache.org>.

showuon commented on code in PR #12840:
URL: https://github.com/apache/kafka/pull/12840#discussion_r1019805336


##########
LICENSE-binary:
##########
@@ -208,18 +208,18 @@ License Version 2.0:
 audience-annotations-0.5.0
 commons-cli-1.4
 commons-lang3-3.12.0
-jackson-annotations-2.13.3
-jackson-core-2.13.3
-jackson-databind-2.13.3
-jackson-dataformat-csv-2.13.3
-jackson-dataformat-yaml-2.13.3
-jackson-datatype-jdk8-2.13.3
-jackson-datatype-jsr310-2.13.3
-jackson-jaxrs-base-2.13.3
-jackson-jaxrs-json-provider-2.13.3
-jackson-module-jaxb-annotations-2.13.3
-jackson-module-scala_2.13-2.13.3
-jackson-module-scala_2.12-2.13.3
+jackson-annotations-2.13.4
+jackson-core-2.13.4
+jackson-databind-2.13.4

Review Comment:
   2.13.4.2 ?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] omkreddy merged pull request #12840: KAFKA-14320: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004

Posted by GitBox <gi...@apache.org>.

omkreddy merged PR #12840:
URL: https://github.com/apache/kafka/pull/12840


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] showuon commented on pull request #12840: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004

Posted by GitBox <gi...@apache.org>.

showuon commented on PR #12840:
URL: https://github.com/apache/kafka/pull/12840#issuecomment-1309672615

   Should we also bump the `jackson-databind` to 2.13.4.2 for CVE-2022-42003? 
   
   ref: https://github.com/spring-projects/spring-boot/issues/32583


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] pratimsc commented on pull request #12840: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004

Posted by GitBox <gi...@apache.org>.

pratimsc commented on PR #12840:
URL: https://github.com/apache/kafka/pull/12840#issuecomment-1310098026

   > Should we also bump the `jackson-databind` to 2.13.4.2 for [CVE-2022-42003](https://github.com/advisories/GHSA-jjjh-jjxp-wpff)?
   > 
   > ref: [spring-projects/spring-boot#32583](https://github.com/spring-projects/spring-boot/issues/32583)
   
   The `jackson-databind` has been updated to 2.13.4.2 for https://github.com/advisories/GHSA-jjjh-jjxp-wpff?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] pratimsc commented on a diff in pull request #12840: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004

Posted by GitBox <gi...@apache.org>.

pratimsc commented on code in PR #12840:
URL: https://github.com/apache/kafka/pull/12840#discussion_r1020162892


##########
LICENSE-binary:
##########
@@ -208,18 +208,18 @@ License Version 2.0:
 audience-annotations-0.5.0
 commons-cli-1.4
 commons-lang3-3.12.0
-jackson-annotations-2.13.3
-jackson-core-2.13.3
-jackson-databind-2.13.3
-jackson-dataformat-csv-2.13.3
-jackson-dataformat-yaml-2.13.3
-jackson-datatype-jdk8-2.13.3
-jackson-datatype-jsr310-2.13.3
-jackson-jaxrs-base-2.13.3
-jackson-jaxrs-json-provider-2.13.3
-jackson-module-jaxb-annotations-2.13.3
-jackson-module-scala_2.13-2.13.3
-jackson-module-scala_2.12-2.13.3
+jackson-annotations-2.13.4
+jackson-core-2.13.4
+jackson-databind-2.13.4

Review Comment:
   It's such a shame that I forgot to push the update. I have pushed it now. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org