You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/03/25 10:19:31 UTC

[GitHub] [pulsar] nicoloboschi opened a new pull request #14871: [fix][security] Upgrade JacksonXML to get rid of CVE-2020-36518

nicoloboschi opened a new pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871


   ### Motivation
   Jackson XML databind has a critical vulnerability -  [CVE-2020-36518](https://nvd.nist.gov/vuln/detail/CVE-2020-36518)
   More context here: https://github.com/FasterXML/jackson-databind/issues/2816
    
   ### Modifications
   
   * Upgrade jackson-databind to 2.13.2.1
   * Upgrade jackson-core to 2.13.2
   
   - [x] `no-need-doc` 
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Shoothzj commented on pull request #14871: [fix][security] Upgrade JacksonXML to get rid of CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

Shoothzj commented on pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871#issuecomment-1078910977


   is that duplicate of #14794 ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #14871: [fix][security] Upgrade jackson and jackson-databind (2.13.2.1) to get rid of CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871#issuecomment-1079034179


   the owasp check fails due to:
   ```
   athenz-zts-java-client-1.10.9.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2020-36518
   ```
   
   athenz-zts-java-client-1.10.9.jar is a uber-jar containing a shaded version of jackson-databind. I opened this issue https://github.com/AthenZ/athenz/issues/1824
   
   it would be a good idea to not use the uber jar but it has to be handled in another pull and with more caution and testing.
   for the moment the owasp check will fail; we could suppress it but that jar will be used in production so it's better to not "forget" about it
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #14871: [fix][security] Upgrade jackson and jackson-databind (2.13.2.1) to get rid of CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871#issuecomment-1079231137


   I sent a PR to resolve the Athenz issue: https://github.com/apache/pulsar/pull/14884


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #14871: [fix][security] Upgrade jackson and jackson-databind (2.13.2.1) to get rid of CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871#issuecomment-1078925303


   @Shoothzj the jackson-databind version which fixes the CVE is 2.13.2.1
   this pull supersede https://github.com/apache/pulsar/pull/14794


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] dave2wave merged pull request #14871: [fix][security] Upgrade jackson and jackson-databind (2.13.2.1) to get rid of CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

dave2wave merged pull request #14871:
URL: https://github.com/apache/pulsar/pull/14871


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org