Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Upgrade to Jackson 2.9.10.6 #1708

Merged
merged 1 commit into from
Nov 11, 2020
Merged

Upgrade to Jackson 2.9.10.6 #1708

merged 1 commit into from
Nov 11, 2020

Conversation

joschi
Copy link
Member

@joschi joschi commented Nov 11, 2020

This addresses several CVEs:

Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches

jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824

Closes #1706

@joschi
Upgrade to Jackson 2.9.10.6
9b876b3 
https://nvd.nist.gov/vuln/detail/CVE-2020-24750
https://nvd.nist.gov/vuln/detail/CVE-2020-24616

Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches

>  jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824
>
>  * FasterXML/jackson-databind#2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750
>  * FasterXML/jackson-databind#2814: Block one more gadget type (Anteros-DBCP, CVE-2020-24616)
>  * FasterXML/jackson-databind#2826: Block one more gadget type (com.nqadmin.rowset)
>  * FasterXML/jackson-databind#2827: Block one more gadget type (org.arrahtec:profiler-core)
@joschi joschi added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability java Pull requests that update Java code labels Nov 11, 2020
@joschi joschi added this to the 4.1.15 milestone Nov 11, 2020
@joschi joschi requested review from a team November 11, 2020 07:26
@joschi joschi self-assigned this Nov 11, 2020
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities (and Security Hotspot 0 Security Hotspots to review)
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@arteam arteam merged commit e5831a8 into release/4.1.x Nov 11, 2020
@arteam arteam deleted the jackson-2.9.10.6 branch November 11, 2020 13:04
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@arteam arteam arteam approved these changes

Assignees

@joschi joschi

Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code security Pull requests that address a security vulnerability
Projects
None yet
Milestone
4.1.15
2 participants
@joschi @arteam