You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/03/25 10:19:31 UTC
[GitHub] [pulsar] nicoloboschi opened a new pull request #14871: [fix][security] Upgrade JacksonXML to get rid of CVE-2020-36518
nicoloboschi opened a new pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871
### Motivation
Jackson XML databind has a critical vulnerability - [CVE-2020-36518](https://nvd.nist.gov/vuln/detail/CVE-2020-36518)
More context here: https://github.com/FasterXML/jackson-databind/issues/2816
### Modifications
* Upgrade jackson-databind to 2.13.2.1
* Upgrade jackson-core to 2.13.2
- [x] `no-need-doc`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Shoothzj commented on pull request #14871: [fix][security] Upgrade JacksonXML to get rid of CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
Shoothzj commented on pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871#issuecomment-1078910977
is that duplicate of #14794 ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #14871: [fix][security] Upgrade jackson and jackson-databind (2.13.2.1) to get rid of CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871#issuecomment-1079034179
the owasp check fails due to:
```
athenz-zts-java-client-1.10.9.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2020-36518
```
athenz-zts-java-client-1.10.9.jar is a uber-jar containing a shaded version of jackson-databind. I opened this issue https://github.com/AthenZ/athenz/issues/1824
it would be a good idea to not use the uber jar but it has to be handled in another pull and with more caution and testing.
for the moment the owasp check will fail; we could suppress it but that jar will be used in production so it's better to not "forget" about it
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #14871: [fix][security] Upgrade jackson and jackson-databind (2.13.2.1) to get rid of CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871#issuecomment-1079231137
I sent a PR to resolve the Athenz issue: https://github.com/apache/pulsar/pull/14884
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on pull request #14871: [fix][security] Upgrade jackson and jackson-databind (2.13.2.1) to get rid of CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871#issuecomment-1078925303
@Shoothzj the jackson-databind version which fixes the CVE is 2.13.2.1
this pull supersede https://github.com/apache/pulsar/pull/14794
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] dave2wave merged pull request #14871: [fix][security] Upgrade jackson and jackson-databind (2.13.2.1) to get rid of CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
dave2wave merged pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org