You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by wu...@apache.org on 2020/03/24 09:31:50 UTC
[skywalking] branch cve-fix created (now 8acc82b)
This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a change to branch cve-fix
in repository https://gitbox.apache.org/repos/asf/skywalking.git.
at 8acc82b Upgrade jackson-databind version to 2.9.10
This branch includes the following new commits:
new 8acc82b Upgrade jackson-databind version to 2.9.10
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[skywalking] 01/01: Upgrade jackson-databind version to 2.9.10
Posted by wu...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a commit to branch cve-fix
in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit 8acc82b1c61b714188e40a736669bce9b8d5906d
Author: Wu Sheng <wu...@foxmail.com>
AuthorDate: Tue Mar 24 17:31:17 2020 +0800
Upgrade jackson-databind version to 2.9.10
---
apm-webapp/pom.xml | 13 +++++++++++++
dist-material/release-docs/LICENSE | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/apm-webapp/pom.xml b/apm-webapp/pom.xml
index 2ca7200..674c458 100644
--- a/apm-webapp/pom.xml
+++ b/apm-webapp/pom.xml
@@ -38,6 +38,7 @@
<spring-cloud-dependencies.version>Edgware.SR1</spring-cloud-dependencies.version>
<frontend-maven-plugin.version>1.6</frontend-maven-plugin.version>
<logback-classic.version>1.2.3</logback-classic.version>
+ <jackson-version>2.9.10</jackson-version>
<ui.path>${project.parent.basedir}/skywalking-ui</ui.path>
</properties>
@@ -64,6 +65,18 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>${spring.boot.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <!-- https://www.cvedetails.com/cve/CVE-2019-17267/ -->
+ <dependency>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
+ <version>${jackson-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index 79c643f..69d352a 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -278,7 +278,7 @@ The text of each license is the standard Apache 2.0 license.
instrumentation-api 0.4.3: https://github.com/google/instrumentation-java, Apache 2.0
jackson-annotations 2.8.0: https://github.com/FasterXML/jackson-annotations, Apache 2.0
jackson-core 2.8.8: https://github.com/FasterXML/jackson-core, Apache 2.0
- jackson-databind 2.8.8: https://github.com/FasterXML/jackson-databind, Apache 2.0
+ jackson-databind 2.9.10: https://github.com/FasterXML/jackson-databind, Apache 2.0
jackson-dataformat 2.8.6: https://github.com/FasterXML/jackson-dataformats-binary, Apache 2.0
jackson-datatype-jdk8 2.8.8: https://github.com/FasterXML/jackson-modules-java8/tree/jackson-modules-java8-2.8.8, Apache 2.0
jackson-module-kotlin 2.8.8: http://kotlinlang.org, Apache 2.0