You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@jmeter.apache.org by bu...@apache.org on 2019/11/26 12:00:24 UTC

[Bug 63963] New: Please update dependency of jackson to 2.9.10.1

https://bz.apache.org/bugzilla/show_bug.cgi?id=63963

            Bug ID: 63963
           Summary: Please update dependency of jackson to 2.9.10.1
           Product: JMeter
           Version: 5.2.1
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Main
          Assignee: issues@jmeter.apache.org
          Reporter: stefan@trilobyte-se.de
  Target Milestone: JMETER_5.2

as with the last similiar tickets - Jackson Databind lib contained some new
vulnerabilities that are fixed with an update from 2.9.10 to 2.9.10.1.
I'll prepare an pull request for that.

Its been running at our systems for some days by now without problems, "gradlew
check" passes too.

Fixes:
* CVE-2019-16942 (Deserialization of Untrusted Data)
* CVE-2019-16943 (Deserialization of Untrusted Data)
* CVE-2019-17531 (Deserialization of Untrusted Data)

A mentioned before, the Jackson maintainers release patch level fixes that are
different version numbers from the main Jackson version, therefore the extra
gradle build variable for jackson databind is needed...

Thanks,
Stefan Seide

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63963] Please update dependency of jackson to 2.9.10.1

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63963

Felix Schumacher <fe...@internetallee.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

--- Comment #3 from Felix Schumacher <fe...@internetallee.de> ---
@Stefan, I hope the new version works for you, too. It would be nice, if you
could give the next nightly a test.

commit a2051bf7b0d407495800aeb895f0896a3f2fa348
AuthorDate: Tue Dec 3 19:09:22 2019 +0100

    Update to jackson 2.10.1

    Originally Stefan Seide proposed to update jackson databind to 2.9.10.1,
    but as jackson seems to have moved on to 2.10.x as the current major
    release, it is probably better to update to the current newest major
version.

    Squashed commit of the following:

    commit b7d433cbee608b6d903424cca566c76282da15ea
    Author: Felix Schumacher <fe...@internetallee.de>
    Date:   Tue Dec 3 19:05:45 2019 +0100

        Update to jackson 2.10.1

    commit dd42b999efab2a29c7dbe2d613c3d21c6556f8df
    Author: Stefan Seide <ac...@seide.st>
    Date:   Tue Nov 26 13:01:30 2019 +0100

        update jackson dependency to 2.9.10.1

    Closes #546
    Bugzilla Id: 63963
---
 gradle.properties | 4 ++--
 xdocs/changes.xml | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63963] Please update dependency of jackson to 2.9.10.1

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63963

--- Comment #4 from S. Seide <st...@trilobyte-se.de> ---
yes - as currently used version 2.9 of jackson receives security bugfixes only
anymore the move to 2.10 should be made.
(https://github.com/FasterXML/jackson/wiki/Jackson-Releases)

We will look at it and give the jackson 2.10 a try. Will report back in some
days after using it.

Thanks,
Stefan Seide

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63963] Please update dependency of jackson to 2.9.10.1

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63963

Felix Schumacher <fe...@internetallee.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #2 from Felix Schumacher <fe...@internetallee.de> ---
What do you think of updating to 2.10.1?

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63963] Please update dependency of jackson to 2.9.10.1

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63963

--- Comment #1 from S. Seide <st...@trilobyte-se.de> ---
Pull request https://github.com/apache/jmeter/pull/546

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63963] Please update dependency of jackson to 2.9.10.1

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63963

Philippe Mouawad <p....@ubik-ingenierie.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |p.mouawad@ubik-ingenierie.c
                   |                            |om
             Status|NEEDINFO                    |RESOLVED
         Resolution|---                         |FIXED
           Hardware|PC                          |All
   Target Milestone|JMETER_5.2                  |JMETER_6.0.0
                 OS|Linux                       |All

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63963] Please update dependency of jackson to 2.9.10.1

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63963

--- Comment #5 from Felix Schumacher <fe...@internetallee.de> ---
@Stefan, maybe you want to give this a try, too.

commit ddb3596a29d6b4722fdf4056cf3492103e37d194
AuthorDate: Sun Feb 16 21:51:45 2020 +0100

    Updated jackson to 2.10.2 (from 2.10.1)

    Bugzilla Id: 63963
    Relates to #546
---
 gradle.properties | 4 ++--
 xdocs/changes.xml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.