Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to Jackson 2.9.10.6 #1708

Merged
merged 1 commit into from
Nov 11, 2020
Merged

Upgrade to Jackson 2.9.10.6 #1708

merged 1 commit into from
Nov 11, 2020

Conversation

joschi
Copy link
Member

@joschi joschi commented Nov 11, 2020

This addresses several CVEs:

Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches

jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824

Closes #1706

@joschi
Upgrade to Jackson 2.9.10.6
9b876b3 
https://nvd.nist.gov/vuln/detail/CVE-2020-24750
https://nvd.nist.gov/vuln/detail/CVE-2020-24616

Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches

>  jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824
>
>  * FasterXML/jackson-databind#2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750
>  * FasterXML/jackson-databind#2814: Block one more gadget type (Anteros-DBCP, CVE-2020-24616)
>  * FasterXML/jackson-databind#2826: Block one more gadget type (com.nqadmin.rowset)
>  * FasterXML/jackson-databind#2827: Block one more gadget type (org.arrahtec:profiler-core)
@joschi joschi added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability java Pull requests that update Java code labels Nov 11, 2020
@joschi joschi added this to the 4.1.15 milestone Nov 11, 2020
@joschi joschi requested review from a team November 11, 2020 07:26
@joschi joschi self-assigned this Nov 11, 2020
@sonarcloud
Copy link

sonarcloud bot commented Nov 11, 2020

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities (and Security Hotspot 0 Security Hotspots to review)
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@arteam arteam merged commit e5831a8 into release/4.1.x Nov 11, 2020
@arteam arteam deleted the jackson-2.9.10.6 branch November 11, 2020 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arteam arteam arteam approved these changes

Assignees

@joschi joschi

Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code security Pull requests that address a security vulnerability
Projects
None yet
Milestone
4.1.15
2 participants
@joschi @arteam