You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Alex Rudyy (Jira)" <ji...@apache.org> on 2019/10/03 10:57:00 UTC
[jira] [Updated] (QPID-8329) [Broker-J] Upgrade jackson
dependencies to version 2.9.9
[ https://issues.apache.org/jira/browse/QPID-8329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Rudyy updated QPID-8329:
-----------------------------
Fix Version/s: (was: qpid-java-broker-7.1.5)
(was: qpid-java-broker-8.0.0)
> [Broker-J] Upgrade jackson dependencies to version 2.9.9
> --------------------------------------------------------
>
> Key: QPID-8329
> URL: https://issues.apache.org/jira/browse/QPID-8329
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Alex Rudyy
> Assignee: Alex Rudyy
> Priority: Major
>
> The CVE vulnerabilities CVE-2019-12086, CVE-2019-12384, CVE-2019-12814
> have been reported against jackson-core and jackson-databind versions 2.9.8.
> The Apache Qpid Broker-J product itself is NOT AFFECTED by these vulnerabilities because Broker-J code never enables Jackson's
> polymorphic deserialisation feature, specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or annotations that enable the feature.
> Even though it is believed the vulnerability cannot be exploited, this Jira will upgrade the dependencies of Broker-J to versions of the jakson-core and jackson-databind that are not vulnerable to reported CVEs:
> * jakson-core 2.9.9
> * jackson-databind 2.9.9.1
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org