You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@jmeter.apache.org by bu...@apache.org on 2019/08/09 14:58:05 UTC

[Bug 63655] New: Please update dependency of jackson-databind and apache-tika

https://bz.apache.org/bugzilla/show_bug.cgi?id=63655

            Bug ID: 63655
           Summary: Please update dependency of jackson-databind and
                    apache-tika
           Product: JMeter
           Version: 5.1.1
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Main
          Assignee: issues@jmeter.apache.org
          Reporter: stefan@trilobyte-se.de
  Target Milestone: JMETER_5.2

Hello,

please update these two dependencies to the latest versions to fix some
problems.

* com.fasterxml.jackson.core:jackson-databind to 2.9.9.3
multiple problems compared to current 2.9.9
CVE-2019-14379 - https://github.com/FasterXML/jackson-databind/issues/2387
CVE-2019-12384 - https://github.com/FasterXML/jackson-databind/issues/2334
CVE-2019-12814 - https://github.com/FasterXML/jackson-databind/issues/2341


* org.apache.tika:tika-core to 1.22 (fix CVE-2019-10094)
   Mailing-list description of problem:
https://lists.apache.org/thread.html/fe876a649d9d36525dd097fe87ff4dcb3b82bb0fbb3a3d71fb72ef61@<dev.tika.apache.org>

We are using these replacements libs for some days with noticing problems (but
these are no real extensive tests)

Thanks,
Stefan Seide

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63655] Please update dependency of jackson-databind and apache-tika

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63655

Philippe Mouawad <p....@ubik-ingenierie.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
                 CC|                            |p.mouawad@ubik-ingenierie.c
                   |                            |om
             Status|NEEDINFO                    |RESOLVED

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63655] Please update dependency of jackson-databind and apache-tika

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63655

Felix Schumacher <fe...@internetallee.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|Linux                       |All
           Keywords|                            |FixedInTrunk
           Hardware|PC                          |All
             Status|NEW                         |NEEDINFO

--- Comment #4 from Felix Schumacher <fe...@internetallee.de> ---
Fixed in trunk and will hopefully be available with the next nightly version.

@Stefan could you verify that it works for you?

commit e5a2fe131fb27302d7537bb623ba38ec87f0d50a
AuthorDate: Thu Aug 15 13:03:30 2019 +0200

    Update tika and jackson

    As jackson-databind now has a different release version than its sisters,
we
    have to introduce another property. Hopefully we can get rid of it with the
next
    update.

    Bugzilla Id: 63655
---
 checksum.properties      | 6 +++---
 gradle.properties        | 3 ++-
 src/bom/build.gradle.kts | 2 +-
 xdocs/changes.xml        | 4 ++--
 4 files changed, 8 insertions(+), 7 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63655] Please update dependency of jackson-databind and apache-tika

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63655

--- Comment #2 from S. Seide <st...@trilobyte-se.de> ---
oh - you are right. I meant "withOUT" problems. Would not open ticket
otherwise...
btw - jackson-databind 2.9.9.2 had bugs, must use latest 2.9.9.3...


For a patch i'm not really shure. We use JMeter embedded inside another Spring
app. fetching JMeter dependency via maven/pom.xml and just overwrote these
libraries inside our own pom... There were no code changes neccesary, just
replaced the libs.

Thanks,
Stefan Seide

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63655] Please update dependency of jackson-databind and apache-tika

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63655

Felix Schumacher <fe...@internetallee.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #3 from Felix Schumacher <fe...@internetallee.de> ---
Patches should now be easier than ever after we switched to gradle and you have
to twiddle only at two places :)

I will do it this time and maybe next time it will be easier for you.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63655] Please update dependency of jackson-databind and apache-tika

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63655

Felix Schumacher <fe...@internetallee.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from Felix Schumacher <fe...@internetallee.de> ---
Would you like to do a PR or patch to update those?

And did your really mean "... for some days with noticing problems ...", or was
that a typo and you meant "... without ..."?

-- 
You are receiving this mail because:
You are the assignee for the bug.