You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@storm.apache.org by GitBox <gi...@apache.org> on 2022/10/18 06:29:07 UTC

[GitHub] [storm] denglunfuren opened a new pull request, #3501: fix(sec): upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.6.1

denglunfuren opened a new pull request, #3501:
URL: https://github.com/apache/storm/pull/3501

   ### What happened？
   There are 2 security vulnerabilities found in com.fasterxml.jackson.core:jackson-databind 2.10.5.1
   - [CVE-2020-36518](https://www.oscs1024.com/hd/CVE-2020-36518)
   - [MPS-2022-12500](https://www.oscs1024.com/hd/MPS-2022-12500)
   
   
   ### What did I do？
   Upgrade com.fasterxml.jackson.core:jackson-databind from 2.10.5.1 to 2.12.6.1 for vulnerability fix
   
   ### What did you expect to happen？
   Ideally, no insecure libs should be used.
   
   ### The specification of the pull request
   [PR Specification](https://www.oscs1024.com/docs/pr-specification/) from OSCS


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@storm.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [storm] bipinprasad commented on pull request #3501: [STORM-3885] fix(sec): upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.6.1

Posted by GitBox <gi...@apache.org>.

bipinprasad commented on PR #3501:
URL: https://github.com/apache/storm/pull/3501#issuecomment-1287522460

   Probably needs some code change.
   https://app.travis-ci.com/github/apache/storm/jobs/585564257 line 6680
   Error in external/storm-elasticsearch/src/test/java/org/apache/storm/elasticsearch/common/EsTestUtil.java:[56,30] cannot find symbol
   Breaking change with NodeBuilder: https://www.elastic.co/guide/en/elasticsearch/reference/5.5/breaking_50_java_api_changes.html


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@storm.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] [STORM-3885] fix(sec): upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.6.1 (storm)

Posted by "rzo1 (via GitHub)" <gi...@apache.org>.

rzo1 commented on PR #3501:
URL: https://github.com/apache/storm/pull/3501#issuecomment-1693189903

   see https://github.com/apache/storm/pull/3571


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@storm.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [PR] [STORM-3885] fix(sec): upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.6.1 (storm)

Posted by "rzo1 (via GitHub)" <gi...@apache.org>.

rzo1 closed pull request #3501: [STORM-3885] fix(sec): upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.6.1
URL: https://github.com/apache/storm/pull/3501


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@storm.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [storm] bipinprasad commented on pull request #3501: [STORM-3885] fix(sec): upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.6.1

Posted by GitBox <gi...@apache.org>.

bipinprasad commented on PR #3501:
URL: https://github.com/apache/storm/pull/3501#issuecomment-1287457886

   https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind shows that 2.12.6.1 has two different vulnerabilities:
   Direct vulnerabilities:
   [CVE-2022-42004](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42004)
   [CVE-2022-42003](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42003)
   
   ref page: https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.12.6.1


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@storm.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [storm] bipinprasad commented on pull request #3501: fix(sec): upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.6.1

Posted by GitBox <gi...@apache.org>.

bipinprasad commented on PR #3501:
URL: https://github.com/apache/storm/pull/3501#issuecomment-1287441366

   Looks like this needs some code change since the class com/fasterxml/jackson/core/util/JacksonFeature is not found.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@storm.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org