You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@jmeter.apache.org by bu...@apache.org on 2019/08/09 14:58:05 UTC
[Bug 63655] New: Please update dependency of jackson-databind and
apache-tika
https://bz.apache.org/bugzilla/show_bug.cgi?id=63655
Bug ID: 63655
Summary: Please update dependency of jackson-databind and
apache-tika
Product: JMeter
Version: 5.1.1
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Main
Assignee: issues@jmeter.apache.org
Reporter: stefan@trilobyte-se.de
Target Milestone: JMETER_5.2
Hello,
please update these two dependencies to the latest versions to fix some
problems.
* com.fasterxml.jackson.core:jackson-databind to 2.9.9.3
multiple problems compared to current 2.9.9
CVE-2019-14379 - https://github.com/FasterXML/jackson-databind/issues/2387
CVE-2019-12384 - https://github.com/FasterXML/jackson-databind/issues/2334
CVE-2019-12814 - https://github.com/FasterXML/jackson-databind/issues/2341
* org.apache.tika:tika-core to 1.22 (fix CVE-2019-10094)
Mailing-list description of problem:
https://lists.apache.org/thread.html/fe876a649d9d36525dd097fe87ff4dcb3b82bb0fbb3a3d71fb72ef61@<dev.tika.apache.org>
We are using these replacements libs for some days with noticing problems (but
these are no real extensive tests)
Thanks,
Stefan Seide
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 63655] Please update dependency of jackson-databind and
apache-tika
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63655
Philippe Mouawad <p....@ubik-ingenierie.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
CC| |p.mouawad@ubik-ingenierie.c
| |om
Status|NEEDINFO |RESOLVED
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 63655] Please update dependency of jackson-databind and
apache-tika
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63655
Felix Schumacher <fe...@internetallee.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS|Linux |All
Keywords| |FixedInTrunk
Hardware|PC |All
Status|NEW |NEEDINFO
--- Comment #4 from Felix Schumacher <fe...@internetallee.de> ---
Fixed in trunk and will hopefully be available with the next nightly version.
@Stefan could you verify that it works for you?
commit e5a2fe131fb27302d7537bb623ba38ec87f0d50a
AuthorDate: Thu Aug 15 13:03:30 2019 +0200
Update tika and jackson
As jackson-databind now has a different release version than its sisters,
we
have to introduce another property. Hopefully we can get rid of it with the
next
update.
Bugzilla Id: 63655
---
checksum.properties | 6 +++---
gradle.properties | 3 ++-
src/bom/build.gradle.kts | 2 +-
xdocs/changes.xml | 4 ++--
4 files changed, 8 insertions(+), 7 deletions(-)
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 63655] Please update dependency of jackson-databind and
apache-tika
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63655
--- Comment #2 from S. Seide <st...@trilobyte-se.de> ---
oh - you are right. I meant "withOUT" problems. Would not open ticket
otherwise...
btw - jackson-databind 2.9.9.2 had bugs, must use latest 2.9.9.3...
For a patch i'm not really shure. We use JMeter embedded inside another Spring
app. fetching JMeter dependency via maven/pom.xml and just overwrote these
libraries inside our own pom... There were no code changes neccesary, just
replaced the libs.
Thanks,
Stefan Seide
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 63655] Please update dependency of jackson-databind and
apache-tika
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63655
Felix Schumacher <fe...@internetallee.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #3 from Felix Schumacher <fe...@internetallee.de> ---
Patches should now be easier than ever after we switched to gradle and you have
to twiddle only at two places :)
I will do it this time and maybe next time it will be easier for you.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 63655] Please update dependency of jackson-databind and
apache-tika
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63655
Felix Schumacher <fe...@internetallee.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Felix Schumacher <fe...@internetallee.de> ---
Would you like to do a PR or patch to update those?
And did your really mean "... for some days with noticing problems ...", or was
that a typo and you meant "... without ..."?
--
You are receiving this mail because:
You are the assignee for the bug.