You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2018/03/20 13:04:00 UTC
[jira] [Assigned] (QPID-8136) [Broker-J] Upgrade Jackson
dependencies
[ https://issues.apache.org/jira/browse/QPID-8136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall reassigned QPID-8136:
--------------------------------
Assignee: Keith Wall
> [Broker-J] Upgrade Jackson dependencies
> ---------------------------------------
>
> Key: QPID-8136
> URL: https://issues.apache.org/jira/browse/QPID-8136
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Keith Wall
> Assignee: Keith Wall
> Priority: Major
> Fix For: qpid-java-broker-7.1.0, qpid-java-6.1.6, qpid-java-broker-7.0.3
>
>
> CVE-2017-7525 was recently published against the Jackson-databind component. Broker-J uses the library for the purposes of the persistence of configuration and the interpreting the payloads of some network requests.
> Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that is affected by the vulnerability, it is believed
> that Apache Qpid Broker-J product itself is *NOT AFFECTED* by this vulnerability. This is because Broker-J code never enables Jackson's
> polymorphic deserialisation features: specifically it never makes calls to Object#enableDefaultTyping(...) nor does it use
> TypeResolverBuilders or annotations that enable the feature.
> Even though it is believed the vulnerability cannot be exploited, this Jira will upgrade the dependencies of Broker-J to versions of the Jackson-databind that are not vulnerable to this issue:
> For:
> * master (upgrade from 2.8.7 to 2.9.4)
> * 7.0.x (upgrade from 2.8.7 to 2.8.11)
> * 6.1.x (upgrade from 2.8.7 to 2.8.11)
> There is no release planned for 6.0.x. Users are recommend to move to the 7.0 line.
> Also see:
> http://mail-archives.apache.org/mod_mbox/qpid-users/201803.mbox/%3cCAFEMS4tdrS_=st85J+-XQFm8nc3AvX4x0ay10jQmpynmDLY9dw@mail.gmail.com%3e
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org